author | Kim Alvefur <zash@zash.se> |
Sat, 01 Oct 2016 17:16:39 +0200 | |
changeset 2324 | d6a3362ca256 |
parent 2132 | 21bc4d7cddae |
child 2346 | 6848297cf40a |
permissions | -rw-r--r-- |
2129
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2123
diff
changeset
|
1 |
--luacheck: globals meta idsafe |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
local condition_handlers = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
local jid = require "util.jid"; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
-- Return a code string for a condition that checks whether the contents |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
-- of variable with the name 'name' matches any of the values in the |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
-- comma/space/pipe delimited list 'values'. |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
local function compile_comparison_list(name, values) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
local conditions = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
for value in values:gmatch("[^%s,|]+") do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
table.insert(conditions, ("%s == %q"):format(name, value)); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
return table.concat(conditions, " or "); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
function condition_handlers.KIND(kind) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
return compile_comparison_list("name", kind), { "name" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 |
local wildcard_equivs = { ["*"] = ".*", ["?"] = "." }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
local function compile_jid_match_part(part, match) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 |
if not match then |
2075
4161ff87e5a4
mod_firewall/conditions: Add semicolon
Kim Alvefur <zash@zash.se>
parents:
2074
diff
changeset
|
25 |
return part.." == nil"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
end |
2076
eda5c54dfa30
mod_firewall: Anchor pattern at beginning and end
Kim Alvefur <zash@zash.se>
parents:
2075
diff
changeset
|
27 |
local pattern = match:match("^<(.*)>$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
if pattern then |
962
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
29 |
if pattern == "*" then |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
30 |
return part; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 |
end |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
2040
diff
changeset
|
32 |
if pattern:find("^<.*>$") then |
962
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
33 |
pattern = pattern:match("^<(.*)>$"); |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
34 |
else |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
35 |
pattern = pattern:gsub("%p", "%%%0"):gsub("%%(%p)", wildcard_equivs); |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
36 |
end |
2078
86427261e3c4
mod_firewall: Use string.find in JID match, faster since the result is unused
Kim Alvefur <zash@zash.se>
parents:
2077
diff
changeset
|
37 |
return ("(%s and %s:find(%q))"):format(part, part, "^"..pattern.."$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 |
else |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 |
return ("%s == %q"):format(part, match); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 |
local function compile_jid_match(which, match_jid) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 |
local match_node, match_host, match_resource = jid.split(match_jid); |
963
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
45 |
local conditions = {}; |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
46 |
conditions[#conditions+1] = compile_jid_match_part(which.."_node", match_node); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
47 |
conditions[#conditions+1] = compile_jid_match_part(which.."_host", match_host); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
48 |
if match_resource then |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
49 |
conditions[#conditions+1] = compile_jid_match_part(which.."_resource", match_resource); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
50 |
end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 |
return table.concat(conditions, " and "); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 |
function condition_handlers.TO(to) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 |
return compile_jid_match("to", to), { "split_to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 |
function condition_handlers.FROM(from) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
return compile_jid_match("from", from), { "split_from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 |
|
2040
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
62 |
function condition_handlers.FROM_EXACTLY(from) |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
63 |
return ("from == %q"):format(from), { "from" }; |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
64 |
end |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
65 |
|
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
66 |
function condition_handlers.TO_EXACTLY(to) |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
67 |
return ("to == %q"):format(to), { "to" }; |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
68 |
end |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
69 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
70 |
function condition_handlers.TYPE(type) |
979
cec42f884475
mod_firewall: The default value of the 'type' attribute on message stanzas is 'normal'
Kim Alvefur <zash@zash.se>
parents:
971
diff
changeset
|
71 |
return compile_comparison_list("(type or (name == 'message' and 'normal') or (name == 'presence' and 'available'))", type), { "type", "name" }; |
964
04e85eb3dfef
mod_firewall/conditions: Default types for message and presence
Matthew Wild <mwild1@gmail.com>
parents:
963
diff
changeset
|
72 |
end |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
73 |
|
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
74 |
local function zone_check(zone, which) |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
75 |
local which_not = which == "from" and "to" or "from"; |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
76 |
return ("(zone_%s[%s_host] or zone_%s[%s] or zone_%s[bare_%s]) " |
2123
5f6c18fd0161
mod_firewall: Correct zone condition to check bare JID
Kim Alvefur <zash@zash.se>
parents:
2120
diff
changeset
|
77 |
.."and not(zone_%s[%s_host] or zone_%s[%s] or zone_%s[bare_%s])" |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
78 |
) |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
79 |
:format(zone, which, zone, which, zone, which, |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
80 |
zone, which_not, zone, which_not, zone, which_not), { |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
81 |
"split_to", "split_from", "bare_to", "bare_from", "zone:"..zone |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
82 |
}; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
83 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
84 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
85 |
function condition_handlers.ENTERING(zone) |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
86 |
return zone_check(zone, "to"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
87 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
88 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
89 |
function condition_handlers.LEAVING(zone) |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
90 |
return zone_check(zone, "from"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
91 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
92 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
93 |
function condition_handlers.PAYLOAD(payload_ns) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
94 |
return ("stanza:get_child(nil, %q)"):format(payload_ns); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
95 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
96 |
|
954
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
97 |
function condition_handlers.INSPECT(path) |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
98 |
if path:find("=") then |
2113
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
99 |
local query, is_pattern_match, value = path:match("(.-)(~?)=(.*)"); |
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
100 |
if is_pattern_match ~= "" then |
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
101 |
return ("stanza:find(%q):match(%q)"):format(path:match("(.-)~=(.*)")); |
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
102 |
else |
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
103 |
return ("stanza:find(%q) == %q"):format(path:match("(.-)=(.*)")); |
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2111
diff
changeset
|
104 |
end |
954
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
105 |
end |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
106 |
return ("stanza:find(%q)"):format(path); |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
107 |
end |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
108 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 |
function condition_handlers.FROM_GROUP(group_name) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
110 |
return ("group_contains(%q, bare_from)"):format(group_name), { "group_contains", "bare_from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
111 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
112 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
113 |
function condition_handlers.TO_GROUP(group_name) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
114 |
return ("group_contains(%q, bare_to)"):format(group_name), { "group_contains", "bare_to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
115 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
116 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
117 |
function condition_handlers.FROM_ADMIN_OF(host) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
118 |
return ("is_admin(bare_from, %s)"):format(host ~= "*" and host or nil), { "is_admin", "bare_from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
119 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
120 |
|
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
121 |
function condition_handlers.TO_ADMIN_OF(host) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
122 |
return ("is_admin(bare_to, %s)"):format(host ~= "*" and host or nil), { "is_admin", "bare_to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
123 |
end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
124 |
|
968
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
125 |
local day_numbers = { sun = 0, mon = 2, tue = 3, wed = 4, thu = 5, fri = 6, sat = 7 }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
126 |
|
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
127 |
local function current_time_check(op, hour, minute) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
128 |
hour, minute = tonumber(hour), tonumber(minute); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
129 |
local adj_op = op == "<" and "<" or ">="; -- Start time inclusive, end time exclusive |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
130 |
if minute == 0 then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
131 |
return "(current_hour"..adj_op..hour..")"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
132 |
else |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
133 |
return "((current_hour"..op..hour..") or (current_hour == "..hour.." and current_minute"..adj_op..minute.."))"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
134 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
135 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
136 |
|
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
137 |
local function resolve_day_number(day_name) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
138 |
return assert(day_numbers[day_name:sub(1,3):lower()], "Unknown day name: "..day_name); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
139 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
140 |
|
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
141 |
function condition_handlers.DAY(days) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
142 |
local conditions = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
143 |
for day_range in days:gmatch("[^,]+") do |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
144 |
local day_start, day_end = day_range:match("(%a+)%s*%-%s*(%a+)"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
145 |
if day_start and day_end then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
146 |
local day_start_num, day_end_num = resolve_day_number(day_start), resolve_day_number(day_end); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
147 |
local op = "and"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
148 |
if day_end_num < day_start_num then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
149 |
op = "or"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
150 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
151 |
table.insert(conditions, ("current_day >= %d %s current_day <= %d"):format(day_start_num, op, day_end_num)); |
2074
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
2040
diff
changeset
|
152 |
elseif day_range:find("%a") then |
968
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
153 |
local day = resolve_day_number(day_range:match("%a+")); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
154 |
table.insert(conditions, "current_day == "..day); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
155 |
else |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
156 |
error("Unable to parse day/day range: "..day_range); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
157 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
158 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
159 |
assert(#conditions>0, "Expected a list of days or day ranges"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
160 |
return "("..table.concat(conditions, ") or (")..")", { "time:day" }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
161 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
162 |
|
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
163 |
function condition_handlers.TIME(ranges) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
164 |
local conditions = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
165 |
for range in ranges:gmatch("([^,]+)") do |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
166 |
local clause = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
167 |
range = range:lower() |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
168 |
:gsub("(%d+):?(%d*) *am", function (h, m) return tostring(tonumber(h)%12)..":"..(tonumber(m) or "00"); end) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
169 |
:gsub("(%d+):?(%d*) *pm", function (h, m) return tostring(tonumber(h)%12+12)..":"..(tonumber(m) or "00"); end); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
170 |
local start_hour, start_minute = range:match("(%d+):(%d+) *%-"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
171 |
local end_hour, end_minute = range:match("%- *(%d+):(%d+)"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
172 |
local op = tonumber(start_hour) > tonumber(end_hour) and " or " or " and "; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
173 |
if start_hour and end_hour then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
174 |
table.insert(clause, current_time_check(">", start_hour, start_minute)); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
175 |
table.insert(clause, current_time_check("<", end_hour, end_minute)); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
176 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
177 |
if #clause == 0 then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
178 |
error("Unable to parse time range: "..range); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
179 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
180 |
table.insert(conditions, "("..table.concat(clause, " "..op.." ")..")"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
181 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
182 |
return table.concat(conditions, " or "), { "time:hour,min" }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
183 |
end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
184 |
|
2132
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
185 |
function condition_handlers.LIMIT(spec) |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
186 |
local name, param = spec:match("^(%w+) on (.+)$"); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
187 |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
188 |
if not name then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
189 |
name = spec:match("^%w+$"); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
190 |
if not name then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
191 |
error("Unable to parse LIMIT specification"); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
192 |
end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
193 |
else |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
194 |
param = meta(("%q"):format(param)); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
195 |
end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
196 |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
197 |
if not param then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
198 |
return ("not global_throttle_%s:poll(1)"):format(name), { "globalthrottle:"..name }; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
199 |
end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2131
diff
changeset
|
200 |
return ("not multi_throttle_%s:poll_on(%s, 1)"):format(name, param), { "multithrottle:"..name }; |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
968
diff
changeset
|
201 |
end |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
968
diff
changeset
|
202 |
|
2111
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
203 |
function condition_handlers.ORIGIN_MARKED(name_and_time) |
2131
59023dffbdd4
mod_firewall: Allow underscore in mark names (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2129
diff
changeset
|
204 |
local name, time = name_and_time:match("^%s*([%w_]+)%s+%(([^)]+)s%)%s*$"); |
2111
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
205 |
if not name then |
2131
59023dffbdd4
mod_firewall: Allow underscore in mark names (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2129
diff
changeset
|
206 |
name = name_and_time:match("^%s*([%w_]+)%s*$"); |
2111
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
207 |
end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
208 |
if not name then |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
209 |
error("Error parsing mark name, see documentation for usage examples"); |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
210 |
end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
211 |
if time then |
2120
2bb42ba342f3
mod_firewall: Fix usage of incorrect variable current_time in ORIGIN_MARKED condition (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2113
diff
changeset
|
212 |
return ("(current_timestamp - (session.firewall_marked_%s or 0)) < %d"):format(idsafe(name), tonumber(time)), { "timestamp" }; |
2111
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
213 |
end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
214 |
return ("not not session.firewall_marked_"..idsafe(name)); |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
215 |
end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2079
diff
changeset
|
216 |
|
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
217 |
return condition_handlers; |