ejabberd-contrib/mod_filter/README.md

mod_filter - Flexible Filtering by Server Policy
================================================

* Author: Magnus Henoch <henoch@dtek.chalmers.se>
* Copyright (C) 2005 Magnus Henoch


This module allows the admin to specify packet filtering rules using ACL and ACCESS.


ejabberd Patch
--------------

Since ejabberd 19.08, it is necessary to apply a small patch to ejabberd
source code in order to use complex `access_rules` configurations, like the
ones shown in examples 1, 2, 3, 4...

So, apply this patch your ejabberd source code.
As you can see, it only adds a line.
Then recompile ejabberd, reinstall and restart it:

```diff
diff --git a/src/acl.erl b/src/acl.erl
index d13c05601..c2a72fd9f 100644
--- a/src/acl.erl
+++ b/src/acl.erl
@@ -310,6 +310,7 @@ access_rules_validator() ->
       econf:non_empty(
 	econf:options(
 	  #{allow => access_validator(),
+	    '_' => access_validator(),
 	    deny => access_validator()},
 	  []))).
 
--
```


Configuration
-------------

You can modify the default module configuration file like this:

To enable the module:
```yaml
modules:
  mod_filter: {}
```

And you must also add the default access rules:
```yaml
access_rules:
  mod_filter:
    - allow: all
  mod_filter_presence:
    - allow: all
  mod_filter_message:
    - allow: all
  mod_filter_iq:
    - allow: all
```

The configuration of rules is done using ejabberd's ACL and ACCESS,
so you should also study the corresponding section on ejabberd guide.
You can find here several examples that may help you to understand how it works.


Example 1
---------

```yaml
access_rules:
  mod_filter_presence:
    - allow: all
  mod_filter_message:
    - allow: all
  mod_filter_iq:
    - allow: all
  ## Admins can send anything.  Others are restricted in various ways.
  mod_filter:
    - allow: admin
    - restrict_local: local
    - restrict_foreign: all
  ## Local non-admin users can only send messages to other local users.
  restrict_local:
    - allow: local
    - deny: all
  ## Foreign users can only send messages to admins.
  restrict_foreign:
    - allow: admin
    - deny: all
```


Example 2
---------

On this example, the users of a private vhost (`example3.org`) can only chat with themselves,
so that particular vhost will have no connection to the exterior. The other vhosts on the
server are completely unrestricted. The administrators are also unrestricted.

```yaml
## This ejabberd server has three virtual hosts
hosts:
  - "localhost"
  - "example1.org"
  - "example2.org"
  - "example3.org"

## This ACL will match any user or service (MUC, PubSub...) hosted on example3.org
acl:
  ex3server:
    server_glob:
      - "*example3.org"

access_rules:
  mod_filter_presence:
    - allow: all
  mod_filter_message:
    - allow: all
  mod_filter_iq:
    - allow: all
  ## The main mod_filter rule allows any admin, but restricts example3 and the rest of packets
  mod_filter:
    - allow: admin
    - restrict_ex3: ex3server
    - restrict_nonex3: all
  ## This rule, which applies to packets sent from Ex3 non-admin users,
  ## allows packets sent to Ex3 server (packets internal to the vhost) and denies anything else.
  restrict_ex3:
    - allow: ex3server
    - deny: all
  ## This rule, which applies to the rest of packets (the ones that are not sent from Ex3),
  ## allows all packets to admins (allowing replies to stanzas from Ex3 admins),
  ## denies all other access to Ex3, and allows access to anything else.
  restrict_nonex3:
    - allow: admin
    - deny: ex3server
    - allow: all
```


Example 4
---------

This server has two virtual hosts, one with anonymous users. The anonymous users
cannot send or receive presence stanzas from outside their vhost.

```yaml
hosts:
  - "localhost"
  - "anon.localhost.org"

acl:
  anon_user:
    server_glob:
      - "*anon.localhost"

access_rules:
  mod_filter:
    - allow: all
  mod_filter_presence:
    - allow: admin
    - restrict_anon: anon_user
    - restrict_non_anon: all
  restrict_anon:
    - allow: anon_user
    - deny: all
  restrict_non_anon:
    - allow: admin
    - deny: anon_user
    - allow: all
  mod_filter_message:
    - allow: all
  mod_filter_iq:
    - allow: all
```
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			`mod_filter - Flexible Filtering by Server Policy`
			`================================================`
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			`* Author: Magnus Henoch <henoch@dtek.chalmers.se>`
			`* Copyright (C) 2005 Magnus Henoch`
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00

			`This module allows the admin to specify packet filtering rules using ACL and ACCESS.`


Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			`ejabberd Patch`
			`--------------`
Document in mod_filter that it requires patching ejabberd (#289) 2020-04-28 11:20:57 +02:00
			`Since ejabberd 19.08, it is necessary to apply a small patch to ejabberd`
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			source code in order to use complex `access_rules` configurations, like the
Document in mod_filter that it requires patching ejabberd (#289) 2020-04-28 11:20:57 +02:00			`ones shown in examples 1, 2, 3, 4...`

			`So, apply this patch your ejabberd source code.`
			`As you can see, it only adds a line.`
			`Then recompile ejabberd, reinstall and restart it:`

Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```diff
Document in mod_filter that it requires patching ejabberd (#289) 2020-04-28 11:20:57 +02:00			`diff --git a/src/acl.erl b/src/acl.erl`
			`index d13c05601..c2a72fd9f 100644`
			`--- a/src/acl.erl`
			`+++ b/src/acl.erl`
			`@@ -310,6 +310,7 @@ access_rules_validator() ->`
			`econf:non_empty(`
			`econf:options(`
			`#{allow => access_validator(),`
			`+ '_' => access_validator(),`
			`deny => access_validator()},`
			`[]))).`

Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			`--`
			```
Document in mod_filter that it requires patching ejabberd (#289) 2020-04-28 11:20:57 +02:00

Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			`Configuration`
			`-------------`
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00
			`You can modify the default module configuration file like this:`

			`To enable the module:`
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```yaml
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00			`modules:`
			`mod_filter: {}`
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00
			`And you must also add the default access rules:`
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```yaml
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00			`access_rules:`
			`mod_filter:`
			`- allow: all`
			`mod_filter_presence:`
			`- allow: all`
			`mod_filter_message:`
			`- allow: all`
			`mod_filter_iq:`
			`- allow: all`
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00
			`The configuration of rules is done using ejabberd's ACL and ACCESS,`
			`so you should also study the corresponding section on ejabberd guide.`
			`You can find here several examples that may help you to understand how it works.`


Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			`Example 1`
			`---------`
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```yaml
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00			`access_rules:`
			`mod_filter_presence:`
			`- allow: all`
			`mod_filter_message:`
			`- allow: all`
			`mod_filter_iq:`
			`- allow: all`
			`## Admins can send anything. Others are restricted in various ways.`
			`mod_filter:`
			`- allow: admin`
			`- restrict_local: local`
			`- restrict_foreign: all`
			`## Local non-admin users can only send messages to other local users.`
			`restrict_local:`
			`- allow: local`
			`- deny: all`
			`## Foreign users can only send messages to admins.`
			`restrict_foreign:`
			`- allow: admin`
			`- deny: all`
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00

Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			`Example 2`
			`---------`
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			On this example, the users of a private vhost (`example3.org`) can only chat with themselves,
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00			`so that particular vhost will have no connection to the exterior. The other vhosts on the`
			`server are completely unrestricted. The administrators are also unrestricted.`

Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```yaml
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00			`## This ejabberd server has three virtual hosts`
			`hosts:`
			`- "localhost"`
			`- "example1.org"`
			`- "example2.org"`
			`- "example3.org"`

			`## This ACL will match any user or service (MUC, PubSub...) hosted on example3.org`
			`acl:`
			`ex3server:`
			`server_glob:`
			`- "*example3.org"`

			`access_rules:`
			`mod_filter_presence:`
			`- allow: all`
			`mod_filter_message:`
			`- allow: all`
			`mod_filter_iq:`
			`- allow: all`
			`## The main mod_filter rule allows any admin, but restricts example3 and the rest of packets`
			`mod_filter:`
			`- allow: admin`
			`- restrict_ex3: ex3server`
			`- restrict_nonex3: all`
			`## This rule, which applies to packets sent from Ex3 non-admin users,`
			`## allows packets sent to Ex3 server (packets internal to the vhost) and denies anything else.`
			`restrict_ex3:`
			`- allow: ex3server`
			`- deny: all`
			`## This rule, which applies to the rest of packets (the ones that are not sent from Ex3),`
			`## allows all packets to admins (allowing replies to stanzas from Ex3 admins),`
			`## denies all other access to Ex3, and allows access to anything else.`
			`restrict_nonex3:`
			`- allow: admin`
			`- deny: ex3server`
			`- allow: all`
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00

Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			`Example 4`
			`---------`
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00
			`This server has two virtual hosts, one with anonymous users. The anonymous users`
			`cannot send or receive presence stanzas from outside their vhost.`

Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```yaml
Add documentation, default configuration, description 2018-09-18 11:53:09 +02:00			`hosts:`
			`- "localhost"`
			`- "anon.localhost.org"`

			`acl:`
			`anon_user:`
			`server_glob:`
			`- "*anon.localhost"`

			`access_rules:`
			`mod_filter:`
			`- allow: all`
			`mod_filter_presence:`
			`- allow: admin`
			`- restrict_anon: anon_user`
			`- restrict_non_anon: all`
			`restrict_anon:`
			`- allow: anon_user`
			`- deny: all`
			`restrict_non_anon:`
			`- allow: admin`
			`- deny: anon_user`
			`- allow: all`
			`mod_filter_message:`
			`- allow: all`
			`mod_filter_iq:`
			`- allow: all`
Convert modules README.txt to markdown syntax 2022-08-11 13:25:02 +02:00			```