author | Kim Alvefur <zash@zash.se> |
Thu, 17 Mar 2016 14:33:14 +0100 | |
changeset 2122 | 643b254e75de |
parent 2121 | 5aa3b93cd37a |
child 2128 | 89363766202c |
permissions | -rw-r--r-- |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
local resolve_relative_path = require "core.configmanager".resolve_relative_path; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
local logger = require "util.logger".init; |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
4 |
local it = require "util.iterators"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
6 |
local definitions = module:shared("definitions"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
7 |
local active_definitions = {}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
|
2117
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
9 |
local default_chains = { |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
preroute = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
type = "event"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
"pre-message/bare", "pre-message/full", "pre-message/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
"pre-presence/bare", "pre-presence/full", "pre-presence/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 |
"pre-iq/bare", "pre-iq/full", "pre-iq/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
deliver = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
type = "event"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
"message/bare", "message/full", "message/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 |
"presence/bare", "presence/full", "presence/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
"iq/bare", "iq/full", "iq/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 |
deliver_remote = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 |
type = "event"; "route/remote"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 |
|
2117
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
30 |
local extra_chains = module:get_option("firewall_extra_chains", {}); |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
31 |
|
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
32 |
local chains = {}; |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
33 |
for k,v in pairs(default_chains) do |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
34 |
chains[k] = v; |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
35 |
end |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
36 |
for k,v in pairs(extra_chains) do |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
37 |
chains[k] = v; |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
38 |
end |
d75145297bf9
mod_firewall: Support for defining extra chains in the config file
Matthew Wild <mwild1@gmail.com>
parents:
2105
diff
changeset
|
39 |
|
2103
a8c701631d0b
mod_firewall: Make idsafe() a global function so libraries can re-use it
Matthew Wild <mwild1@gmail.com>
parents:
2084
diff
changeset
|
40 |
function idsafe(name) |
a8c701631d0b
mod_firewall: Make idsafe() a global function so libraries can re-use it
Matthew Wild <mwild1@gmail.com>
parents:
2084
diff
changeset
|
41 |
return name:match("^%a[%w_]*$") |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
42 |
end |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
43 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 |
-- Dependency locations: |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 |
-- <type lib> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 |
-- <type global> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 |
-- function handler() |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 |
-- <local deps> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 |
-- if <conditions> then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 |
-- <actions> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 |
-- end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 |
-- end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 |
local available_deps = { |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
55 |
st = { global_code = [[local st = require "util.stanza";]]}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
jid_split = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 |
global_code = [[local jid_split = require "util.jid".split;]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
jid_bare = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 |
global_code = [[local jid_bare = require "util.jid".bare;]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 |
to = { local_code = [[local to = stanza.attr.to;]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 |
from = { local_code = [[local from = stanza.attr.from;]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 |
type = { local_code = [[local type = stanza.attr.type;]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 |
name = { local_code = [[local name = stanza.name]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 |
split_to = { -- The stanza's split to address |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 |
depends = { "jid_split", "to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 |
local_code = [[local to_node, to_host, to_resource = jid_split(to);]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 |
split_from = { -- The stanza's split from address |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 |
depends = { "jid_split", "from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 |
local_code = [[local from_node, from_host, from_resource = jid_split(from);]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
74 |
bare_to = { depends = { "jid_bare", "to" }, local_code = "local bare_to = jid_bare(to)"}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
75 |
bare_from = { depends = { "jid_bare", "from" }, local_code = "local bare_from = jid_bare(from)"}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
76 |
group_contains = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
77 |
global_code = [[local group_contains = module:depends("groups").group_contains]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
78 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 |
is_admin = { global_code = [[local is_admin = require "core.usermanager".is_admin]]}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
80 |
core_post_stanza = { global_code = [[local core_post_stanza = prosody.core_post_stanza]] }; |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
81 |
zone = { global_code = function (zone) |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
82 |
assert(idsafe(zone), "Invalid zone name: "..zone); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
83 |
return ("local zone_%s = zones[%q] or {};"):format(zone, zone); |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
84 |
end }; |
966
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
85 |
date_time = { global_code = [[local os_date = os.date]]; local_code = [[local current_date_time = os_date("*t");]] }; |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
86 |
time = { local_code = function (what) |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
87 |
local defs = {}; |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
88 |
for field in what:gmatch("%a+") do |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
89 |
table.insert(defs, ("local current_%s = current_date_time.%s;"):format(field, field)); |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
90 |
end |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
91 |
return table.concat(defs, " "); |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
92 |
end, depends = { "date_time" }; }; |
2104
cbd0095e9302
mod_firewall: Add 'timestamp' dep to get current_timestamp
Matthew Wild <mwild1@gmail.com>
parents:
2103
diff
changeset
|
93 |
timestamp = { global_code = [[local get_time = require "socket".gettime]]; local_code = [[local current_timestamp = get_time()]]; }; |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
94 |
throttle = { |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
95 |
global_code = function (throttle) |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
96 |
assert(idsafe(throttle), "Invalid rate limit name: "..throttle); |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
97 |
assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
98 |
return ("local throttle_%s = rates.%s;"):format(throttle, throttle); |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
99 |
end; |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
100 |
}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
101 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
102 |
|
2081
368b091e723b
mod_firewall: Rename argument to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2080
diff
changeset
|
103 |
local function include_dep(dependency, code) |
368b091e723b
mod_firewall: Rename argument to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2080
diff
changeset
|
104 |
local dep, dep_param = dependency:match("^([^:]+):?(.*)$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
105 |
local dep_info = available_deps[dep]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
106 |
if not dep_info then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
107 |
module:log("error", "Dependency not found: %s", dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
108 |
return; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
110 |
if code.included_deps[dep] then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
111 |
if code.included_deps[dep] ~= true then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
112 |
module:log("error", "Circular dependency on %s", dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
113 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
114 |
return; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
115 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
116 |
code.included_deps[dep] = false; -- Pending flag (used to detect circular references) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
117 |
for _, dep_dep in ipairs(dep_info.depends or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
118 |
include_dep(dep_dep, code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
119 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
120 |
if dep_info.global_code then |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
121 |
if dep_param ~= "" then |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
122 |
table.insert(code.global_header, dep_info.global_code(dep_param)); |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
123 |
else |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
124 |
table.insert(code.global_header, dep_info.global_code); |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
125 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
126 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
127 |
if dep_info.local_code then |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
128 |
if dep_param ~= "" then |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
129 |
table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code(dep_param).."\n"); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
130 |
else |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
131 |
table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code.."\n"); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
132 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
134 |
code.included_deps[dep] = true; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
135 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
136 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
137 |
local definition_handlers = module:require("definitions"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
138 |
local condition_handlers = module:require("conditions"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
139 |
local action_handlers = module:require("actions"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
140 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
141 |
local function new_rule(ruleset, chain) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
142 |
assert(chain, "no chain specified"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
143 |
local rule = { conditions = {}, actions = {}, deps = {} }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
144 |
table.insert(ruleset[chain], rule); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
145 |
return rule; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
146 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
147 |
|
2082
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
148 |
local function parse_firewall_rules(filename) |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
149 |
local line_no = 0; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
150 |
|
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
151 |
local function errmsg(err) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
152 |
return "Error compiling "..filename.." on line "..line_no..": "..err; |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
153 |
end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
154 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
155 |
local ruleset = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
156 |
deliver = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
157 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
158 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
159 |
local chain = "deliver"; -- Default chain |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
160 |
local rule; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
161 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
162 |
local file, err = io.open(filename); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
163 |
if not file then return nil, err; end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
164 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
165 |
local state; -- nil -> "rules" -> "actions" -> nil -> ... |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
166 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
167 |
local line_hold; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
168 |
for line in file:lines() do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
169 |
line = line:match("^%s*(.-)%s*$"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
170 |
if line_hold and line:sub(-1,-1) ~= "\\" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
171 |
line = line_hold..line; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
172 |
line_hold = nil; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
173 |
elseif line:sub(-1,-1) == "\\" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
174 |
line_hold = (line_hold or "")..line:sub(1,-2); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
175 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
176 |
line_no = line_no + 1; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
177 |
|
2084
a435db77a5e5
mod_firewall: Silence warning about empty if branch [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2082
diff
changeset
|
178 |
if line_hold or line:find("^[#;]") then -- luacheck: ignore 542 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
179 |
-- No action; comment or partial line |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
180 |
elseif line == "" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
181 |
if state == "rules" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
182 |
return nil, ("Expected an action on line %d for preceding criteria") |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
183 |
:format(line_no); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
184 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
185 |
state = nil; |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
186 |
elseif not(state) and line:sub(1, 2) == "::" then |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
187 |
chain = line:gsub("^::%s*", ""); |
980 | 188 |
local chain_info = chains[chain]; |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
189 |
if not chain_info then |
980 | 190 |
return nil, errmsg("Unknown chain: "..chain); |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
191 |
elseif chain_info.type ~= "event" then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
192 |
return nil, errmsg("Only event chains supported at the moment"); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
193 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
194 |
ruleset[chain] = ruleset[chain] or {}; |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
195 |
elseif not(state) and line:sub(1,1) == "%" then -- Definition (zone, limit, etc.) |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
196 |
local what, name = line:match("^%%%s*(%w+) +([^ :]+)"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
197 |
if not definition_handlers[what] then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
198 |
return nil, errmsg("Definition of unknown object: "..what); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
199 |
elseif not name or not idsafe(name) then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
200 |
return nil, errmsg("Invalid "..what.." name"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
201 |
end |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
202 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
203 |
local val = line:match(": ?(.*)$"); |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
204 |
if not val and line:find(":<") then -- Read from file |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
205 |
local fn = line:match(":< ?(.-)%s*$"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
206 |
if not fn then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
207 |
return nil, errmsg("Unable to parse filename"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
208 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
209 |
local f, err = io.open(fn); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
210 |
if not f then return nil, errmsg(err); end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
211 |
val = f:read("*a"):gsub("\r?\n", " "):gsub("%s+5", ""); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
212 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
213 |
if not val then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
214 |
return nil, errmsg("No value given for definition"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
215 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
216 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
217 |
local ok, ret = pcall(definition_handlers[what], name, val); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
218 |
if not ok then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
219 |
return nil, errmsg(ret); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
220 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
221 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
222 |
if not active_definitions[what] then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
223 |
active_definitions[what] = {}; |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
224 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
225 |
active_definitions[what][name] = ret; |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
226 |
elseif line:find("^[^%s:]+[%.=]") then |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
227 |
-- Action |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
228 |
if state == nil then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
229 |
-- This is a standalone action with no conditions |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
230 |
rule = new_rule(ruleset, chain); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
231 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
232 |
state = "actions"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
233 |
-- Action handlers? |
2105
41a0a9db89ef
mod_firewall: Allow actions to have underscores in their names
Matthew Wild <mwild1@gmail.com>
parents:
2104
diff
changeset
|
234 |
local action = line:match("^[%w_]+"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
235 |
if not action_handlers[action] then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
236 |
return nil, ("Unknown action on line %d: %s"):format(line_no, action or "<unknown>"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
237 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
238 |
table.insert(rule.actions, "-- "..line) |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
239 |
local ok, action_string, action_deps = pcall(action_handlers[action], line:match("=(.+)$")); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
240 |
if not ok then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
241 |
return nil, errmsg(action_string); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
242 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
243 |
table.insert(rule.actions, action_string); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
244 |
for _, dep in ipairs(action_deps or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
245 |
table.insert(rule.deps, dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
246 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
247 |
elseif state == "actions" then -- state is actions but action pattern did not match |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
248 |
state = nil; -- Awaiting next rule, etc. |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
249 |
table.insert(ruleset[chain], rule); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
250 |
rule = nil; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
251 |
else |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
252 |
if not state then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
253 |
state = "rules"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
254 |
rule = new_rule(ruleset, chain); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
255 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
256 |
-- Check standard modifiers for the condition (e.g. NOT) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
257 |
local negated; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
258 |
local condition = line:match("^[^:=%.]*"); |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
259 |
if condition:find("%f[%w]NOT%f[^%w]") then |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
260 |
local s, e = condition:match("%f[%w]()NOT()%f[^%w]"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
261 |
condition = (condition:sub(1,s-1)..condition:sub(e+1, -1)):match("^%s*(.-)%s*$"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
262 |
negated = true; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
263 |
end |
998
6fdcebbd2284
mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents:
996
diff
changeset
|
264 |
condition = condition:gsub(" ", "_"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
265 |
if not condition_handlers[condition] then |
998
6fdcebbd2284
mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents:
996
diff
changeset
|
266 |
return nil, ("Unknown condition on line %d: %s"):format(line_no, (condition:gsub("_", " "))); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
267 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
268 |
-- Get the code for this condition |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
269 |
local ok, condition_code, condition_deps = pcall(condition_handlers[condition], line:match(":%s?(.+)$")); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
270 |
if not ok then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
271 |
return nil, errmsg(condition_code); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
272 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
273 |
if negated then condition_code = "not("..condition_code..")"; end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
274 |
table.insert(rule.conditions, condition_code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
275 |
for _, dep in ipairs(condition_deps or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
276 |
table.insert(rule.deps, dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
277 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
278 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
279 |
end |
2082
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
280 |
return ruleset; |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
281 |
end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
282 |
|
2082
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
283 |
local function process_firewall_rules(ruleset) |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
284 |
-- Compile ruleset and return complete code |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
285 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
286 |
local chain_handlers = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
287 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
288 |
-- Loop through the chains in the parsed ruleset (e.g. incoming, outgoing) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
289 |
for chain_name, rules in pairs(ruleset) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
290 |
local code = { included_deps = {}, global_header = {} }; |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
291 |
local condition_uses = {}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
292 |
-- This inner loop assumes chain is an event-based, not a filter-based |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
293 |
-- chain (filter-based will be added later) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
294 |
for _, rule in ipairs(rules) do |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
295 |
for _, condition in ipairs(rule.conditions) do |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
296 |
if condition:find("^not%(.+%)$") then |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
297 |
condition = condition:match("^not%((.+)%)$"); |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
298 |
end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
299 |
condition_uses[condition] = (condition_uses[condition] or 0) + 1; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
300 |
end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
301 |
end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
302 |
|
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
303 |
local condition_cache, n_conditions = {}, 0; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
304 |
for _, rule in ipairs(rules) do |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
305 |
for _, dep in ipairs(rule.deps) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
306 |
include_dep(dep, code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
307 |
end |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
308 |
table.insert(code, "\n\t\t"); |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
309 |
local rule_code; |
967
a88f33fe6970
mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents:
966
diff
changeset
|
310 |
if #rule.conditions > 0 then |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
311 |
for i, condition in ipairs(rule.conditions) do |
1001
c0850793b716
mod_firewall: don't use %b() (not technically correct)
Matthew Wild <mwild1@gmail.com>
parents:
999
diff
changeset
|
312 |
local negated = condition:match("^not%(.+%)$"); |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
313 |
if negated then |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
314 |
condition = condition:match("^not%((.+)%)$"); |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
315 |
end |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
316 |
if condition_uses[condition] > 1 then |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
317 |
local name = condition_cache[condition]; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
318 |
if not name then |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
319 |
n_conditions = n_conditions + 1; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
320 |
name = "condition"..n_conditions; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
321 |
condition_cache[condition] = name; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
322 |
table.insert(code, "local "..name.." = "..condition..";\n\t\t"); |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
323 |
end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
324 |
rule.conditions[i] = (negated and "not(" or "")..name..(negated and ")" or ""); |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
325 |
else |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
326 |
rule.conditions[i] = (negated and "not(" or "(")..condition..")"; |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
327 |
end |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
328 |
end |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
329 |
|
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
330 |
rule_code = "if "..table.concat(rule.conditions, " and ").." then\n\t\t\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
331 |
..table.concat(rule.actions, "\n\t\t\t") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
332 |
.."\n\t\tend\n"; |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
333 |
else |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
334 |
rule_code = table.concat(rule.actions, "\n\t\t"); |
967
a88f33fe6970
mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents:
966
diff
changeset
|
335 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
336 |
table.insert(code, rule_code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
337 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
338 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
339 |
for name in pairs(definition_handlers) do |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
340 |
table.insert(code.global_header, 1, "local "..name:lower().."s = definitions."..name..";"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
341 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
342 |
|
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
343 |
local code_string = "return function (definitions, fire_event, log)\n\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
344 |
..table.concat(code.global_header, "\n\t") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
345 |
.."\n\tlocal db = require 'util.debug';\n\n\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
346 |
.."return function (event)\n\t\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
347 |
.."local stanza, session = event.stanza, event.origin;\n" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
348 |
..table.concat(code, "") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
349 |
.."\n\tend;\nend"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
350 |
|
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
351 |
chain_handlers[chain_name] = code_string; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
352 |
end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
353 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
354 |
return chain_handlers; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
355 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
356 |
|
2082
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
357 |
local function compile_firewall_rules(filename) |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
358 |
local ruleset, err = parse_firewall_rules(filename); |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
359 |
if not ruleset then return nil, err; end |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
360 |
local chain_handlers = process_firewall_rules(ruleset); |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
361 |
return chain_handlers; |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
362 |
end |
11539785cb92
mod_firewall: Split compile function into two parts in order to separate their scopes
Kim Alvefur <zash@zash.se>
parents:
2081
diff
changeset
|
363 |
|
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
364 |
local function compile_handler(code_string, filename) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
365 |
-- Prepare event handler function |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
366 |
local chunk, err = loadstring(code_string, "="..filename); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
367 |
if not chunk then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
368 |
return nil, "Error compiling (probably a compiler bug, please report): "..err; |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
369 |
end |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
370 |
local function fire_event(name, data) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
371 |
return module:fire_event(name, data); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
372 |
end |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
373 |
chunk = chunk()(active_definitions, fire_event, logger(filename)); -- Returns event handler with 'zones' upvalue. |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
374 |
return chunk; |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
375 |
end |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
376 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
377 |
function module.load() |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
378 |
if not prosody.arg then return end -- Don't run in prosodyctl |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
379 |
active_definitions = {}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
380 |
local firewall_scripts = module:get_option_set("firewall_scripts", {}); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
381 |
for script in firewall_scripts do |
955
97454c088b6c
mod_firewall: Use resolve_relative_path correctly
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
382 |
script = resolve_relative_path(prosody.paths.config, script); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
383 |
local chain_functions, err = compile_firewall_rules(script) |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
384 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
385 |
if not chain_functions then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
386 |
module:log("error", "Error compiling %s: %s", script, err or "unknown error"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
387 |
else |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
388 |
for chain, handler_code in pairs(chain_functions) do |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
389 |
local handler, err = compile_handler(handler_code, "mod_firewall::"..chain); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
390 |
if not handler then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
391 |
module:log("error", "Compilation error for %s: %s", script, err); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
392 |
else |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
393 |
local chain_definition = chains[chain]; |
1325
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
394 |
if chain_definition and chain_definition.type == "event" then |
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
395 |
for _, event_name in ipairs(chain_definition) do |
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
396 |
module:hook(event_name, handler, chain_definition.priority); |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
397 |
end |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
1343
diff
changeset
|
398 |
elseif not chain:sub(1, 5) == "user/" then |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
399 |
module:log("warn", "Unknown chain %q", chain); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
400 |
end |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
401 |
module:hook("firewall/chains/"..chain, handler); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
402 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
403 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
404 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
405 |
end |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
406 |
-- Replace contents of definitions table (shared) with active definitions |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
407 |
for k in it.keys(definitions) do definitions[k] = nil; end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
408 |
for k,v in pairs(active_definitions) do definitions[k] = v; end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
409 |
end |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
410 |
|
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
411 |
function module.command(arg) |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
412 |
if not arg[1] or arg[1] == "--help" then |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
413 |
require"util.prosodyctl".show_usage([[mod_firewall <firewall.pfw>]], [[Compile files with firewall rules to Lua code]]); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
414 |
return 1; |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
415 |
end |
2122
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
416 |
local verbose = arg[1] == "-v"; |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
417 |
if verbose then table.remove(arg, 1); end |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
418 |
|
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
419 |
local serialize = require "util.serialization".serialize; |
2122
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
420 |
if verbose then |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
421 |
print("local logger = require \"util.logger\".init;"); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
422 |
print(); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
423 |
print("local function fire_event(name, data)\n\tmodule:fire_event(name, data)\nend"); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
424 |
print(); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
425 |
end |
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
426 |
|
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
427 |
for _, filename in ipairs(arg) do |
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
428 |
print("do -- File "..filename); |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
429 |
local chain_functions = assert(compile_firewall_rules(arg[1])); |
2122
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
430 |
if verbose then |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
431 |
print(); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
432 |
print("local active_definitions = "..serialize(active_definitions)..";"); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
433 |
print(); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
434 |
end |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
435 |
for chain, handler_code in pairs(chain_functions) do |
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
436 |
print("---- Chain "..chain:gsub("_", " ")); |
2122
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
437 |
if not verbose then |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
438 |
print(("%s = %s;"):format(chain, handler_code:sub(8))); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
439 |
else |
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
440 |
|
2122
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
441 |
print(("local %s = (%s)(active_definitions, fire_event, logger(%q));"):format(chain, handler_code:sub(8), filename)); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
442 |
print(); |
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
443 |
|
2122
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
444 |
local chain_definition = chains[chain]; |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
445 |
if chain_definition and chain_definition.type == "event" then |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
446 |
for _, event_name in ipairs(chain_definition) do |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
447 |
print(("module:hook(%q, %s, %d);"):format(event_name, chain, chain_definition.priority or 0)); |
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
448 |
end |
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
449 |
end |
2122
643b254e75de
mod_firewall: Disable more realistic output by default, activated by adding a -v flag
Kim Alvefur <zash@zash.se>
parents:
2121
diff
changeset
|
450 |
print(("module:hook(%q, %s, %d);"):format("firewall/chains/"..chain, chain, chain_definition.priority or 0)); |
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
451 |
end |
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
452 |
|
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
453 |
print("---- End of chain "..chain); |
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
454 |
print(); |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
455 |
end |
2121
5aa3b93cd37a
mod_firewall: Make prosodyctl command output more realistic source (not guaranteed to work)
Kim Alvefur <zash@zash.se>
parents:
2117
diff
changeset
|
456 |
print("end -- End of file "..filename); |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
457 |
end |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
458 |
end |