Packet Filter Plugin not working correctly?

Openfire Plugins Packet Filter
1

Looks like there is a bug in PFP (unless I am using it incorrectly)

Openfire Server: 3.70

PFP version: I used .jar under 3.01 document, still showing up as 3.0.0 in Admin Console

Clients used: Spark 2.60 and Pidgin

I am using LDAP to configure User groups.

I have GROUP1 with User1 being a member of the group, and GROUP2 with User2 being a member of that group.

I setup two rules:

Reject from GROUP1 to GROUP2, Packet Type ANY log false

Reject from GROUP2 to GROUP1, Packet Type ANY log false

When I use regular chat - communication is blocked, but if User1 and User2 are in the same Chat Room - communication is not blocked.

when I added two more rules:

Reject from GROUP1 to GROUP2, Packet Type MUC log false

Reject from GROUP1 to GROUP2, Packet Type MUC log false

That does not change anything.

What I need to achieve is that if communication between User1 and User2 is not allowed - it is blocked on all levels.

Thanks.

UPDATE:

When I create a rule:

**Reject from GROUP1 to First-Room1@myconference.service type ANY **

That blocked GROUP1 member from entering the room.

All my room (I have around 60 rooms and around 200 users in 12 groups) are created with strict naming rules enforced:

Example: First-Room1, First-Room2, Second-Room1 e.t.c.

When I try to use a wildcard so my rule looks like:

__Reject from GROUP1 to First-*@myconference.service type ANY __

User is no longer blocked.

I can use that “workaround” but it will result in hundreds of rules that will need to be created.

So my question is updated - how I can be able to enforce “no talk” policy without creating a rule for any possible combination of groups and chatrooms?

2

I fixed the version number so it reflects the correct 3.0.1.

For the other issue I’m afraid the packet filter has no knowledge of who is in the room so a rule that is between two users won’t be applied.

Couple options.

  1. Set the permissions on the chat rooms when they are created. Set the room to members only and define a list of jids that you want in the admin console. You can do this by going to Admin -> Group Chat -> Then clicking on the details of the room.

  2. I could expand the rules definition to accept a regex expression. Probably a good feature to add anyway so you can do more advance filtering.

If you want I could probably add the feature this weekend and let you try it out next week.

Hope that helps.

Cheers,

Nate

3

Hi Nate,

Thanks a lot for the fast reply.

I explored option 1 already and it would not work for two reasons (in my setup)

Reason 1: LDAP is read only (as it should be) thus I do not have flexibility with managing groups/users on Openfire server.

Reason 2: users may change group membership and that would be a management nightmare to adjust all chatroom permissions.

I am really excited about Option 2. If you have time to add this feature I will be a highly devoted tester of that feature

Thanks.

4

Cool. I’ll try and bust out the code sometime this weekend and attach it to this thread.

5

Here it is. To enter a regex select “other” and check the regular expression box.

If this works out well for you, I’ll write some more documentation and release this as 3.0.2.

-Nate
packetFilter.jar (61214 Bytes)

6

Hi Nate, thanks for your help,

when I buid the following rules:

Reject from GROUP1 to First-*@myconference.service type ANY

**
**

and

Reject from GROUP1 to First* type ANY

**
**

**
**

with Regex box selected, but it still allow the user to enter the room.

Am I missing something? What would be the example of regex for this plugin?

Thanks

On the other note (may be due to being a “test” build ) the title under “server settings” changed to pf.summary.title

and “save” / “cancel” buttons look like

???pf.save.edit??? and ???pf.global.cancel???

For some reason I had plugin showing up twice. I removed both instances, restarted service and now it displayed properly

Update2: After 1st edit parts of the post appeared at the wrong place , corrected

7

The code takes the string you enter and makes a Java regular expression from it. For example to match all you could use (.*) which means to group any number of characters. If you google around for Java Regular Expressions you should be able to find the proper docs. I’m not super great at them myself; otherwise I would be more helpful.

8

Here what i see so far from testing 3.02:

Reject message no longer displayed in Spark.

Another functionality bug I found: (unless it by design)

I made two chatrooms GOOD and NOTSOGOOD, I have group GROUP1

I made a rule blocking ANY packet from regex enabled OTHER using filter [Nn]ot.* to GROUP1 (enabled logging)

using java regex tester at http://www.regexplanet.com/simple/index.html

I confirmed that NOTSOGOOD chat matched the filter and GOOD did not.

When I enable the rule, I could not join any room, spark was freezing and gave me a message that conferencing service cannot be reached. in Info log it stated after short delay that both chatrooms were blocked by packetfilter.

Update1:

When I change packet type from ANY to MUC it blocked communication as intended, But ability to block ANY packet will result in much lower number of rules required. (in my case I had to create additional rules to block MUC private chat and Iq).

I have another question about posibility to add an option for the rule to indicate if it one way or two way rule; now I have to create two rules if I want to block communication between user “A” and user “B”, by adding “two way” option to the fisrst rule, it will automaticly create duplicate rule (non visible to admin) that would not require 2nd rule to be created, thus greatly reducing screen clutter and “fat finger” errors? (ouch that was a long sentence.)

9

Blocking “Any” should work fine. I suspect that if the client is freezing like that it is a client side issue. Could you try a different client to see how well it works? Also are you “Rejecting” the packets or “Blocking” them? That could make a difference as well.

Good idea on the symetrical rule creation. Once this regex thing is hammered out I’ll look into adding it.

10

Hi Nate, thanks for your response.

bellow is a summaray of my tests:

client tested: SPARK 2.60

Rule created:

Reject ANY from OTHER (my chat room name regex expression) to GROUP (my groupname) LOG enabled

Behavior:

  1. If I click on allowed group - I can enter it OK.
  2. If I click on blocked group - nothing happened (as expected) but client freeze for 5-10 sec (no hourglass) after timeout I am able to select allowed group.
  3. If I right click on my conference service and select “browse service” client is freezing.

What I observer in the log is the following:

for #1 - nothing (as expected)

for #2 - “rejected packet”

Rejecting packet from (blocked group@myconference)/(my display name) to (my jid)/spark

Rejecting packet from (blocked group@myconference)/(my display name)1 to (my jid)/spark

Rejecting packet from (blocked group@myconference)/(my display name)9 to (my jid)/spark

Then message “Unable to join room at this time: No response from server”

for #3 - same as #2 but for every matched (blocked room)

client tested: Pidgin 2.7.11

No problems: single reject message in a log when trying access blocked group, no delays.

P.S.

I will post a link to this hread in SPARK discussion room as well.

11

Thanks for testing that out. I don’t think there is much I can do from the server side to get Spark to behave correctly. It sounds like you’re still able to achive what you’re after but its just not as nice as it could be.

12

Thanks a lot for adding regex option to the filter, it helped a lot.

13

BUG:

when to and from are OTHER with regex checked:

FROM: [Aa]bc

TO: anything

when you click Save/Edit Rule

[Aa]bc changed to [aa]bc

I tried ABC it become abc, looks like TO string also get converted to lowercase

Functionality question:

Can regex expressions support logical operations within plugin?

Like Reject FROM firstroom**|**secondroom TO group1 Packet Type MUC ? this will help to minimize number of rules

14

The lower case conversion is intended. Openfire jids are always lowercase.

The regex supports whatever java regex supports. I did some quickk testing and this|that|other type stuff should work.

15

Hi Nate,

any plans to add symetrical rule functionality to that plugin? Not trying to be pushy, just need to create about 70 rules - so want to see if there a chance that I do not have to create 140

Thanks

16

Sorry probably too late. I’ve been busy with other projects lately. I’ll try and get to this in the next couple of weeks.