Packet Filtering

%ents; ]>

Packet Filtering A framework for packet filtering rules. &LEGALNOTICE; 0062 Deferred Informational Standards XMPP Core XEP-0030 Not yet assigned Robert Norris rob@cataclysm.cx rob@cataclysm.cx 0.2.1 2018-11-03 pep Fix a bunch of typos, batch-style. 0.2 2003-09-30 psa At the request of the author, changed the status of this document to Deferred pending development of an implementation; also changed the type to Informational. 0.1 2002-12-05 rn Initial version.

Traditionally, the &jabberd; server included an internal server module called "mod_filter", which provided a packet filtering facility for users. That service had the following problems:

The service and protocol were undocumented, apart from some documentation reverse-engineered from the source code.
The processing requirements that the service required made it unusable for large installations.
Bugs in the service often caused the Jabber server to crash.

The most common use for this service was to provide server-side blacklists. Unforuntately, mod_filter was overpowered even by this relatively simple form of packet filtering (matching the sending JID and dropping the packet if necessary), so this need has been neatly filled by &xep0016;.

However, packet filtering (as opposed to the subset of JID blacklisting) is still of use, for the following tasks:

Setting up automatic responses to messages (e.g., "vacation" messages).
Redirecting packets to another JID.
Modifying the contents of a packet in-transit (e.g., language translation, adding <x/> data).
Force incoming messages to be stored offline (e.g., for low-bandwidth clients).

This document proposes a modular, extensible framework for specifying packet filtering rules. This document does not, however, propose any specific filter conditions or actions - that is left to other proposals.

The framework itself operates in the "http://jabber.org/protocol/filter" namespace.

The following definitions are used throughout this document:

ruleset - a set of filtering rules.
rule - a set of conditions with an associated action.
condition - an expression (or set of expressions) that, when applied to a packet, is either true or false.
action - a task that may be performed on a packet.

A single rule is be expressed in XML like so:

[conditionexpr] [actionspec] ]]>

A rule is processed by applying its condition to the packet. If the condition is true, then the action is taken. The "description" attribute is provided so a rule generator can assign a meaningful and user-readable description of a rule.

A ruleset is be expressed in XML like so:

[conditionexpr] [actionspec] [conditionexpr] [actionspec] [conditionexpr] [actionspec] ]]>

A ruleset is processed by applying each rule to the packet, one at a time. Processing of the ruleset stops after the first matching rule is found and its action taken, unless the "continue" attribute is found on the matched rule, in which case the remaining rules get processed as though the current rule did not match. If no rules match, packet processing continues as though no rules were specified.

If the <condition/> element contains no condition expression, then the rule matches all packets.

A ruleset does not have to contain any rules:

]]>

Conditions may be aggregated using AND or OR modifiers, like so:

[conditionexpr1] [conditionexpr2] [conditionexpr3] [conditionexpr4] ]]>

The above example is equivalent to "conditionexpr1 AND conditionexpr2 AND (conditionexpr3 OR conditionexpr4)".

No such aggregation exists for actions - only a single action expression may be included within an <action/> element.

A filter module is a document that defines conditions and/or actions that can be use by this framework. Each module should have its own namespace, and should clearly define the effect of each condition and action it defines.

Consider a hypothetical module that defines conditions that match packets based on their header information. It might use the namespace "http://jabber.org/protocol/filter/header" and might define the following conditions:

<to/> - true when the CDATA of this element matches the "to" attribute of the packet.
<from/> - true when the CDATA of this element matches the "from" attribute of the packet.
<type/> - true when the CDATA of this element matches the "type" attribute of the packet.

Equally, consider a hypothetical module that defines actions for redirecting messages. It might use the namespace "http://jabber.org/protocol/filter/redirect" and might define the following conditions:

<redirect/> - redirects the packet to the JID specified in the CDATA of this element.
<copy/> - sends a copy of the packet to the JID specified in the CDATA of this element, while giving the original packet to the user.

These two modules might be combined to produce a ruleset like the following:

friend@theirisp.com me@home.com ]]>

Using modules in this way enables this framework to be easily extended to support new types of filtering, as well as enabling site administrators to select the types of functionallity that are best suited to their site.

It will not always be appropriate for a service to provide a Jabber-based interface to its filter settings (e.g., in the case of an XML router, it will almost always be more appropriate to limit the specification of rules and rulesets to the router configuration). However, this will be appropriate sometimes (e.g., a session manager providing per-user packet filtering). In these cases, the following protocol should be used.

An entity may find out if a service supports filtering, and the modules it supports, by issuing a discovery request to the service:

]]> ]]>

An entity may set the filter ruleset for an entity (which may be itself) like so:

friend@theirisp.com me@home.com spammer@badsite.com abuse@company.com ]]>

On success, the service returns:

]]>

On error, the server returns the original packet with an appropriate error:

friend@theirisp.com me@home.com spammer@badsite.com abuse@company.com Forbidden ]]>

An entity may retrieve the filter ruleset for an entity (which may be itself) like so:

]]>

If the requesting entity has permissions to view the ruleset, the server must return the ruleset to the entity:

friend@theirisp.com me@home.com spammer@badsite.com abuse@company.com ]]>

On error, the server returns the original packet with an appropriate error:

Forbidden ]]>

Possible errors are:

Code	Text	Description
403	Forbidden	The sender does not have permission to modify the ruleset for this entity.
404	Not Found	The entity does not exist.

Ruleset processing should be the first thing that a service does when it receives a packet - even before processing privacy rules per XEP-0016.

Rules must be processed in the order they are given, and must be returned to a requesting entity in the same order.

There are no security features or concerns related to this proposal.

This document requires no interaction with the IANA.

No namespaces or parameters need to be registered with JANA as a result of this document.