Packet Filter Plugin Readme

Overview

The packet filter plugin allows you to create rules that will block or reject certain packets to the server. If you are upgrading, this version *WILL DELETE ALL YOUR OLD RULES!* I wasn't happy with some of the design of the 1.0 version so I fixed it. The old format of the rules was unworkable with the new and I couldn't find a good way to convert from the old format, sorry.

Group Rule Auto Creation

By default the packet filter plugin will auto-create rules on Shared Group changes ensuring groups can always communicate with each other.
To disable this behaviour set the following Openfire System Property to false:

packetfilter.autocreate.grouprules - true/false

Installation

Copy packetFilter.jar into the plugins directory of your Openfire installation. The plugin will then be automatically deployed. To upgrade to a new version, copy the new packetFilter.jar file over the existing file.

Currently only the following databases are supported :

Postgresql
Mysql
MSSQL
Hsqldb (embedded)
Oracle - I created a schema for this and put it in the database/extra subdirectory of the plugin. I can't get the schema to automatically apply itself when the plugin deploys, it has to be deployed manually

Configuration

The Packet Filter plugin can be configured under "Server"-"Server Settings"-"Packet Filter Rules".

Using the Plugin - Creating Rules

Actions

Actions come in 3 types Pass, Drop and Reject.

Pass - This will allow the packet to be delivered normally.
Drop - This will silently drop the packet without notifying the sender.
Reject - This rule tries to notify the person who sent it that their message was rejected. There are a couple issues with this. First, not all clients handle forbidden packet condition. The notification of users that their packet was rejected is therefore pretty spotty, your mileage may vary. This rule has 2 configurable options that can be set in the system properties screen :

1. pf.rejectMessage : Defaults to "Your message was rejected by the packet filter".
2. pf.rejectSubject : Defaults to "Rejected"
3. pf.From : Defaults to "packetFilter".

Disable

This allows you to quickly disable a rule without deleting it. Disabled rules will still appear on the main rule page but will have a strike through like so :

Packet Type

This specifies what type of packets you want to disable your choices are :

Message - Regular old message.
Presence - Presence Info.
IQ - Used to transfer most other data.
MUC - Multi User Chat, chat rooms.
MUC Private Message - A private message within a chat room
Any - All of the above

From

This specifies the source base JID. Currently resource specific rules aren't supported. The options for specifying a source are :

Any - Just like it sounds, if the source is anything.
User - These are all the local users defined on your Openfire server, all user accounts.
Group - All groups defined on your server. The source will match if the sender is a member of the specified group or if Any Group is selected will match members in any group.
Other - This will let you specify a free form JID. (test@example.com). One wild card can be specified to do a whole domain e.g. *@example.com.

To

This specifies the destination base JID. The options for selecting the destination JID are the same as above.

Log

This prints a message to the info.log when the rule is executed. This is recommend only for trouble shooting as it can fill up the logs pretty quickly in production environments. Some example output :

Rejecting packet from bart@nate-putnams-computer.local/Adium to lisa@nate-putnams-computer.local/Psi

Description

Leave yourself a note so you can remember why you wrote the rule in the first place. :)

Changing Rule Order

The first rule that matches an incoming packet will be executed. For example consider the following rules :

Here we don't want any of the Simpson's talking to each other so every message from members of the Simpson group to each other are dropped. However, Marge and Homer should be able to talk to each other. To accomplish this rules allowing Homer to send message packets to Marge and vice versa are placed before the drop rule. New rules are automatically appended to the rule list. Rules can be moved at anytime using the arrows in the UI. When a rule is moved the changes take effect immediately.

Known Issues

Selectable components are only loaded when the plugin is initialized. If you add a component (AIM Transport etc..), it won't appear in the rule form until the server or plugin is restarted.

2.0 will delete all your 1.0 rules.

Clustering - I haven't tested this plugin in a cluster. I've added some support for it so that rules *should* be synced across all nodes but I haven't tested it. 2.1 will contain more clustering goodness.