author | Kim Alvefur <zash@zash.se> |
Wed, 19 Mar 2014 14:04:09 +0100 | |
changeset 1358 | 497e1df4b7ee |
parent 1343 | 7dbde05b48a9 |
child 1593 | 3e4d15ae2133 |
child 2074 | 2356114ff505 |
permissions | -rw-r--r-- |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
local resolve_relative_path = require "core.configmanager".resolve_relative_path; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
local logger = require "util.logger".init; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
local set = require "util.set"; |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
5 |
local it = require "util.iterators"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
local add_filter = require "util.filters".add_filter; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
8 |
local definitions = module:shared("definitions"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
9 |
local active_definitions = {}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
local chains = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
preroute = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
type = "event"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 |
"pre-message/bare", "pre-message/full", "pre-message/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 |
"pre-presence/bare", "pre-presence/full", "pre-presence/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
"pre-iq/bare", "pre-iq/full", "pre-iq/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
deliver = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
type = "event"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 |
priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
"message/bare", "message/full", "message/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
"presence/bare", "presence/full", "presence/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 |
"iq/bare", "iq/full", "iq/host"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
deliver_remote = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
type = "event"; "route/remote"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
priority = 0.1; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 |
|
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
32 |
local function idsafe(name) |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
33 |
return not not name:match("^%a[%w_]*$") |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
34 |
end |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
35 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 |
-- Dependency locations: |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 |
-- <type lib> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 |
-- <type global> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 |
-- function handler() |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 |
-- <local deps> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 |
-- if <conditions> then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 |
-- <actions> |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 |
-- end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 |
-- end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 |
local available_deps = { |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
47 |
st = { global_code = [[local st = require "util.stanza";]]}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 |
jid_split = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 |
global_code = [[local jid_split = require "util.jid".split;]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 |
jid_bare = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 |
global_code = [[local jid_bare = require "util.jid".bare;]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 |
to = { local_code = [[local to = stanza.attr.to;]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 |
from = { local_code = [[local from = stanza.attr.from;]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
type = { local_code = [[local type = stanza.attr.type;]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 |
name = { local_code = [[local name = stanza.name]] }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 |
split_to = { -- The stanza's split to address |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
depends = { "jid_split", "to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 |
local_code = [[local to_node, to_host, to_resource = jid_split(to);]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 |
split_from = { -- The stanza's split from address |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 |
depends = { "jid_split", "from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 |
local_code = [[local from_node, from_host, from_resource = jid_split(from);]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 |
bare_to = { depends = { "jid_bare", "to" }, local_code = "local bare_to = jid_bare(to)"}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 |
bare_from = { depends = { "jid_bare", "from" }, local_code = "local bare_from = jid_bare(from)"}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 |
group_contains = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 |
global_code = [[local group_contains = module:depends("groups").group_contains]]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
71 |
is_admin = { global_code = [[local is_admin = require "core.usermanager".is_admin]]}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 |
core_post_stanza = { global_code = [[local core_post_stanza = prosody.core_post_stanza]] }; |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
73 |
zone = { global_code = function (zone) |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
74 |
assert(idsafe(zone), "Invalid zone name: "..zone); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
75 |
return ("local zone_%s = zones[%q] or {};"):format(zone, zone); |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
76 |
end }; |
966
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
77 |
date_time = { global_code = [[local os_date = os.date]]; local_code = [[local current_date_time = os_date("*t");]] }; |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
78 |
time = { local_code = function (what) |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
79 |
local defs = {}; |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
80 |
for field in what:gmatch("%a+") do |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
81 |
table.insert(defs, ("local current_%s = current_date_time.%s;"):format(field, field)); |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
82 |
end |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
83 |
return table.concat(defs, " "); |
a65df6e97d94
mod_firewall: Add time and date deps
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
84 |
end, depends = { "date_time" }; }; |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
85 |
throttle = { |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
86 |
global_code = function (throttle) |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
87 |
assert(idsafe(throttle), "Invalid rate limit name: "..throttle); |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
88 |
assert(active_definitions.RATE[throttle], "Unknown rate limit: "..throttle); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
89 |
return ("local throttle_%s = rates.%s;"):format(throttle, throttle); |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
90 |
end; |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
967
diff
changeset
|
91 |
}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
92 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
93 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
94 |
local function include_dep(dep, code) |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
95 |
local dep, dep_param = dep:match("^([^:]+):?(.*)$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
96 |
local dep_info = available_deps[dep]; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
97 |
if not dep_info then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
98 |
module:log("error", "Dependency not found: %s", dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
99 |
return; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
100 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
101 |
if code.included_deps[dep] then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
102 |
if code.included_deps[dep] ~= true then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
103 |
module:log("error", "Circular dependency on %s", dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
104 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
105 |
return; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
106 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
107 |
code.included_deps[dep] = false; -- Pending flag (used to detect circular references) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
108 |
for _, dep_dep in ipairs(dep_info.depends or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 |
include_dep(dep_dep, code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
110 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
111 |
if dep_info.global_code then |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
112 |
if dep_param ~= "" then |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
113 |
table.insert(code.global_header, dep_info.global_code(dep_param)); |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
114 |
else |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
115 |
table.insert(code.global_header, dep_info.global_code); |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
116 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
117 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
118 |
if dep_info.local_code then |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
119 |
if dep_param ~= "" then |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
120 |
table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code(dep_param).."\n"); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
121 |
else |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
122 |
table.insert(code, "\n\t\t-- "..dep.."\n\t\t"..dep_info.local_code.."\n"); |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
960
diff
changeset
|
123 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
124 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
125 |
code.included_deps[dep] = true; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
126 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
127 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
128 |
local definition_handlers = module:require("definitions"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
129 |
local condition_handlers = module:require("conditions"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
130 |
local action_handlers = module:require("actions"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
131 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 |
local function new_rule(ruleset, chain) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 |
assert(chain, "no chain specified"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
134 |
local rule = { conditions = {}, actions = {}, deps = {} }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
135 |
table.insert(ruleset[chain], rule); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
136 |
return rule; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
137 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
138 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
139 |
local function compile_firewall_rules(filename) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
140 |
local line_no = 0; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
141 |
|
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
142 |
local function errmsg(err) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
143 |
return "Error compiling "..filename.." on line "..line_no..": "..err; |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
144 |
end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
145 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
146 |
local ruleset = { |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
147 |
deliver = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
148 |
}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
149 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
150 |
local chain = "deliver"; -- Default chain |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
151 |
local rule; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
152 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
153 |
local file, err = io.open(filename); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
154 |
if not file then return nil, err; end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
155 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
156 |
local state; -- nil -> "rules" -> "actions" -> nil -> ... |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
157 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
158 |
local line_hold; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
159 |
for line in file:lines() do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
160 |
line = line:match("^%s*(.-)%s*$"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
161 |
if line_hold and line:sub(-1,-1) ~= "\\" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
162 |
line = line_hold..line; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
163 |
line_hold = nil; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
164 |
elseif line:sub(-1,-1) == "\\" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
165 |
line_hold = (line_hold or "")..line:sub(1,-2); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
166 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
167 |
line_no = line_no + 1; |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
168 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
169 |
if line_hold or line:match("^[#;]") then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
170 |
-- No action; comment or partial line |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
171 |
elseif line == "" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
172 |
if state == "rules" then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
173 |
return nil, ("Expected an action on line %d for preceding criteria") |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
174 |
:format(line_no); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
175 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
176 |
state = nil; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
177 |
elseif not(state) and line:match("^::") then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
178 |
chain = line:gsub("^::%s*", ""); |
980 | 179 |
local chain_info = chains[chain]; |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
180 |
if not chain_info then |
980 | 181 |
return nil, errmsg("Unknown chain: "..chain); |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
182 |
elseif chain_info.type ~= "event" then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
183 |
return nil, errmsg("Only event chains supported at the moment"); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
184 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
185 |
ruleset[chain] = ruleset[chain] or {}; |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
186 |
elseif not(state) and line:match("^%%") then -- Definition (zone, limit, etc.) |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
187 |
local what, name = line:match("^%%%s*(%w+) +([^ :]+)"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
188 |
if not definition_handlers[what] then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
189 |
return nil, errmsg("Definition of unknown object: "..what); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
190 |
elseif not name or not idsafe(name) then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
191 |
return nil, errmsg("Invalid "..what.." name"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
192 |
end |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
193 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
194 |
local val = line:match(": ?(.*)$"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
195 |
if not val and line:match(":<") then -- Read from file |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
196 |
local fn = line:match(":< ?(.-)%s*$"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
197 |
if not fn then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
198 |
return nil, errmsg("Unable to parse filename"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
199 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
200 |
local f, err = io.open(fn); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
201 |
if not f then return nil, errmsg(err); end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
202 |
val = f:read("*a"):gsub("\r?\n", " "):gsub("%s+5", ""); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
203 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
204 |
if not val then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
205 |
return nil, errmsg("No value given for definition"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
206 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
207 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
208 |
local ok, ret = pcall(definition_handlers[what], name, val); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
209 |
if not ok then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
210 |
return nil, errmsg(ret); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
211 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
212 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
213 |
if not active_definitions[what] then |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
214 |
active_definitions[what] = {}; |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
215 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
216 |
active_definitions[what][name] = ret; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
217 |
elseif line:match("^[^%s:]+[%.=]") then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
218 |
-- Action |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
219 |
if state == nil then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
220 |
-- This is a standalone action with no conditions |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
221 |
rule = new_rule(ruleset, chain); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
222 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
223 |
state = "actions"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
224 |
-- Action handlers? |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
225 |
local action = line:match("^%P+"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
226 |
if not action_handlers[action] then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
227 |
return nil, ("Unknown action on line %d: %s"):format(line_no, action or "<unknown>"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
228 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
229 |
table.insert(rule.actions, "-- "..line) |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
230 |
local ok, action_string, action_deps = pcall(action_handlers[action], line:match("=(.+)$")); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
231 |
if not ok then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
232 |
return nil, errmsg(action_string); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
233 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
234 |
table.insert(rule.actions, action_string); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
235 |
for _, dep in ipairs(action_deps or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
236 |
table.insert(rule.deps, dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
237 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
238 |
elseif state == "actions" then -- state is actions but action pattern did not match |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
239 |
state = nil; -- Awaiting next rule, etc. |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
240 |
table.insert(ruleset[chain], rule); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
241 |
rule = nil; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
242 |
else |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
243 |
if not state then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
244 |
state = "rules"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
245 |
rule = new_rule(ruleset, chain); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
246 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
247 |
-- Check standard modifiers for the condition (e.g. NOT) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
248 |
local negated; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
249 |
local condition = line:match("^[^:=%.]*"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
250 |
if condition:match("%f[%w]NOT%f[^%w]") then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
251 |
local s, e = condition:match("%f[%w]()NOT()%f[^%w]"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
252 |
condition = (condition:sub(1,s-1)..condition:sub(e+1, -1)):match("^%s*(.-)%s*$"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
253 |
negated = true; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
254 |
end |
998
6fdcebbd2284
mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents:
996
diff
changeset
|
255 |
condition = condition:gsub(" ", "_"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
256 |
if not condition_handlers[condition] then |
998
6fdcebbd2284
mod_firewall: Fix conditions with spaces
Matthew Wild <mwild1@gmail.com>
parents:
996
diff
changeset
|
257 |
return nil, ("Unknown condition on line %d: %s"):format(line_no, (condition:gsub("_", " "))); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
258 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
259 |
-- Get the code for this condition |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
260 |
local ok, condition_code, condition_deps = pcall(condition_handlers[condition], line:match(":%s?(.+)$")); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
261 |
if not ok then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
262 |
return nil, errmsg(condition_code); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
263 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
264 |
if negated then condition_code = "not("..condition_code..")"; end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
265 |
table.insert(rule.conditions, condition_code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
266 |
for _, dep in ipairs(condition_deps or {}) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
267 |
table.insert(rule.deps, dep); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
268 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
269 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
270 |
end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
271 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
272 |
-- Compile ruleset and return complete code |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
273 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
274 |
local chain_handlers = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
275 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
276 |
-- Loop through the chains in the parsed ruleset (e.g. incoming, outgoing) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
277 |
for chain_name, rules in pairs(ruleset) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
278 |
local code = { included_deps = {}, global_header = {} }; |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
279 |
local condition_uses = {}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
280 |
-- This inner loop assumes chain is an event-based, not a filter-based |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
281 |
-- chain (filter-based will be added later) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
282 |
for _, rule in ipairs(rules) do |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
283 |
for _, condition in ipairs(rule.conditions) do |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
284 |
if condition:match("^not%(.+%)$") then |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
285 |
condition = condition:match("^not%((.+)%)$"); |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
286 |
end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
287 |
condition_uses[condition] = (condition_uses[condition] or 0) + 1; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
288 |
end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
289 |
end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
290 |
|
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
291 |
local condition_cache, n_conditions = {}, 0; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
292 |
for _, rule in ipairs(rules) do |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
293 |
for _, dep in ipairs(rule.deps) do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
294 |
include_dep(dep, code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
295 |
end |
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
296 |
table.insert(code, "\n\t\t"); |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
297 |
local rule_code; |
967
a88f33fe6970
mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents:
966
diff
changeset
|
298 |
if #rule.conditions > 0 then |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
299 |
for i, condition in ipairs(rule.conditions) do |
1001
c0850793b716
mod_firewall: don't use %b() (not technically correct)
Matthew Wild <mwild1@gmail.com>
parents:
999
diff
changeset
|
300 |
local negated = condition:match("^not%(.+%)$"); |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
301 |
if negated then |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
302 |
condition = condition:match("^not%((.+)%)$"); |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
303 |
end |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
304 |
if condition_uses[condition] > 1 then |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
305 |
local name = condition_cache[condition]; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
306 |
if not name then |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
307 |
n_conditions = n_conditions + 1; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
308 |
name = "condition"..n_conditions; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
309 |
condition_cache[condition] = name; |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
310 |
table.insert(code, "local "..name.." = "..condition..";\n\t\t"); |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
311 |
end |
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
312 |
rule.conditions[i] = (negated and "not(" or "")..name..(negated and ")" or ""); |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
313 |
else |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
314 |
rule.conditions[i] = (negated and "not(" or "(")..condition..")"; |
996
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
315 |
end |
37af655ca575
mod_firewall: Cache conditions, so that they are only calculated once per chain execution
Matthew Wild <mwild1@gmail.com>
parents:
980
diff
changeset
|
316 |
end |
1304
9f24ccaa66a6
mod_firewall: Do not cache conditions with only a single use
Florian Zeitz <florob@babelmonkeys.de>
parents:
1303
diff
changeset
|
317 |
|
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
318 |
rule_code = "if "..table.concat(rule.conditions, " and ").." then\n\t\t\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
319 |
..table.concat(rule.actions, "\n\t\t\t") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
320 |
.."\n\t\tend\n"; |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
321 |
else |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
322 |
rule_code = table.concat(rule.actions, "\n\t\t"); |
967
a88f33fe6970
mod_firewall: Don't add empty conditions check when no conditions are listed in a rule
Matthew Wild <mwild1@gmail.com>
parents:
966
diff
changeset
|
323 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
324 |
table.insert(code, rule_code); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
325 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
326 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
327 |
for name in pairs(definition_handlers) do |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
328 |
table.insert(code.global_header, 1, "local "..name:lower().."s = definitions."..name..";"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
329 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
330 |
|
1303
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
331 |
local code_string = "return function (definitions, fire_event, log)\n\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
332 |
..table.concat(code.global_header, "\n\t") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
333 |
.."\n\tlocal db = require 'util.debug';\n\n\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
334 |
.."return function (event)\n\t\t" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
335 |
.."local stanza, session = event.stanza, event.origin;\n" |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
336 |
..table.concat(code, "") |
8a3f3f485675
mod_firewall: Produce code with nicer indentation
Florian Zeitz <florob@babelmonkeys.de>
parents:
1052
diff
changeset
|
337 |
.."\n\tend;\nend"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
338 |
|
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
339 |
chain_handlers[chain_name] = code_string; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
340 |
end |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
341 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
342 |
return chain_handlers; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
343 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
344 |
|
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
345 |
local function compile_handler(code_string, filename) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
346 |
-- Prepare event handler function |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
347 |
local chunk, err = loadstring(code_string, "="..filename); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
348 |
if not chunk then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
349 |
return nil, "Error compiling (probably a compiler bug, please report): "..err; |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
350 |
end |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
351 |
local function fire_event(name, data) |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
352 |
return module:fire_event(name, data); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
353 |
end |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
354 |
chunk = chunk()(active_definitions, fire_event, logger(filename)); -- Returns event handler with 'zones' upvalue. |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
355 |
return chunk; |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
356 |
end |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
357 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
358 |
function module.load() |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
359 |
if not prosody.arg then return end -- Don't run in prosodyctl |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
360 |
active_definitions = {}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
361 |
local firewall_scripts = module:get_option_set("firewall_scripts", {}); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
362 |
for script in firewall_scripts do |
955
97454c088b6c
mod_firewall: Use resolve_relative_path correctly
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
363 |
script = resolve_relative_path(prosody.paths.config, script); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
364 |
local chain_functions, err = compile_firewall_rules(script) |
1343
7dbde05b48a9
all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
1325
diff
changeset
|
365 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
366 |
if not chain_functions then |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
367 |
module:log("error", "Error compiling %s: %s", script, err or "unknown error"); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
368 |
else |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
369 |
for chain, handler_code in pairs(chain_functions) do |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
370 |
local handler, err = compile_handler(handler_code, "mod_firewall::"..chain); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
371 |
if not handler then |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
372 |
module:log("error", "Compilation error for %s: %s", script, err); |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
373 |
else |
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
374 |
local chain_definition = chains[chain]; |
1325
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
375 |
if chain_definition and chain_definition.type == "event" then |
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
376 |
for _, event_name in ipairs(chain_definition) do |
b21236b6b8d8
Backed out changeset 853a382c9bd6
Kim Alvefur <zash@zash.se>
parents:
1324
diff
changeset
|
377 |
module:hook(event_name, handler, chain_definition.priority); |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
378 |
end |
980 | 379 |
elseif not chain:match("^user/") then |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
380 |
module:log("warn", "Unknown chain %q", chain); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
381 |
end |
956
33d6642f4db7
mod_firewall: Tighten up error handling, and split rules->Lua and Lua->bytecode compilation into separate functions
Matthew Wild <mwild1@gmail.com>
parents:
955
diff
changeset
|
382 |
module:hook("firewall/chains/"..chain, handler); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
383 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
384 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
385 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
386 |
end |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
387 |
-- Replace contents of definitions table (shared) with active definitions |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
388 |
for k in it.keys(definitions) do definitions[k] = nil; end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
998
diff
changeset
|
389 |
for k,v in pairs(active_definitions) do definitions[k] = v; end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
390 |
end |
1052
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
391 |
|
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
392 |
function module.command(arg) |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
393 |
if not arg[1] or arg[1] == "--help" then |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
394 |
require"util.prosodyctl".show_usage([[mod_firewall <firewall.pfw>]], [[Compile files with firewall rules to Lua code]]); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
395 |
return 1; |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
396 |
end |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
397 |
|
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
398 |
for _, filename in ipairs(arg) do |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
399 |
print("\n-- File "..filename); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
400 |
local chain_functions = assert(compile_firewall_rules(arg[1])); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
401 |
for chain, handler_code in pairs(chain_functions) do |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
402 |
print("\n---- Chain "..chain); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
403 |
print(handler_code); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
404 |
print("\n---- End of chain "..chain); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
405 |
end |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
406 |
print("\n-- End of file "..filename); |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
407 |
end |
80f0a3231c59
mod_firewall: Add support for being called as a prosodyctl command
Kim Alvefur <zash@zash.se>
parents:
1051
diff
changeset
|
408 |
end |