Mercurial > prosody-modules
view mod_restrict_federation/mod_restrict_federation.lua @ 6556:7477e97a9045
mod_firewall: Apply pre-reload state before re-reading config
This change makes load/reload a bit more robust. module.load() runs before
module.restore() and it reads from the config and updates the state (if
needed).
However, after this, module.restore() could run and apply the old state again.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Sun, 24 May 2026 20:03:20 +0100 |
| parents | cfcd2d2f7119 |
| children |
line wrap: on
line source
local jid_node = require "prosody.util.jid".node; local st = require "prosody.util.stanza"; local get_user_role = require "prosody.core.usermanager".get_user_role; function check_outgoing_stanza(event) local origin, stanza = event.origin, event.stanza; if not origin or origin.type ~= "c2s" then -- We only filter user-originated traffic, so -- pass this through. return; end if module:may("xmpp:federate", event) then -- Pass through return; end if stanza.name == "iq" then if stanza.attr.type == "result" or stanza.attr.type == "error" then -- Allow responses to iqs return; end local payload = stanza.tags[1]; -- Allow push notification registration if payload.name == "command" and payload.attr.xmlns == "http://jabber.org/protocol/commands" then -- This should allow Tigase and p2 ad-hoc commands to pass through to push gateways local node = payload.attr.node; if node:match("^register%-") or node:match("^unregister%-") then return; end end end -- Block module:log("debug", "Forbidding outgoing %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to); local err_reply = st.error_reply(event.stanza, "auth", "policy-violation", "Communication with remote domains is not permitted"); origin.send(err_reply); return true; end function check_incoming_stanza(event) local origin, stanza = event.origin, event.stanza; if origin.type ~= "s2sin" then -- We only filter incoming traffic from remote domains -- Pass through return; end if stanza.name == "iq" then if stanza.attr.type == "result" or stanza.attr.type == "error" then -- Allow responses to iqs return; end end local recipient_username = jid_node(stanza.attr.to); if not recipient_username then return; end local recipient_role, role_err = get_user_role(recipient_username, module.host); if not recipient_role then module:log("warn", "Unable to determine recipient role: %s", role_err); -- No idea what the role is, we'll pass it through return; end if recipient_role:may("xmpp:federate") then -- Allowed, pass through return; end -- Block module:log("debug", "Forbidding incoming %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to); local err_reply = st.error_reply(event.stanza, "cancel", "service-unavailable"); origin.send(err_reply); return true; end module:hook("message/bare", check_incoming_stanza, 500); module:hook("message/full", check_incoming_stanza, 500); module:hook("presence/bare", check_incoming_stanza, 500); module:hook("presence/full", check_incoming_stanza, 500); module:hook("iq/bare", check_incoming_stanza, 500); module:hook("iq/full", check_incoming_stanza, 500); module:hook("route/remote", check_outgoing_stanza, 500);
