I believe this is already being addressed as a feature request:
but I was hoping some of the ejabber experts could chime in with a possible workaround...
I have two domains: domainX.com and domainY.com. I'd like to impliment the following logic:
Users at domainX.com can chat to anyone.
Users at domainY.com can send/recieve IMs only to fellow users at domainY.com.
I have ejabberd setup with two virtual domains, and an admin user for each. I have the following per-domain ACLs in the GUI:
domainX.com:
None
domainY.com:
acl domainY user *@domainy.com
access globalrule [{allow,domainY},{deny, all}]
Am I correct in assuming that these ACLs are strictly used in the context of c2s communications? Seems like to matter what I try, I cannot get certain rules to prevent specific cross-realm traffic; it's sort of "all or nothing." Unfortunatly, we have specific policies as to which users can communicate outside of their domain, therefore this functionality must be operational before any real deployment.
Searching the forums lead to some API named filter_packet, but I was unable to find any further info on this interface. Hopefully there's a simple approach that can mitigate this issue. Any suggestions would be highly appreciated!
Thanks,
-Dave
I think you need filter_packet
Let's see what do you get when you do this:
{hosts, ["domainx.com", "domainy.com"]}. {acl, domainy, [{user, "*@domainy.com"}]}. {host_config, "domainy", [ {access, c2s, [{allow, domainy}, {deny, all}]} ]}. {listen, [ {5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}]}, ... ]}.With this config, ejabberd will only accept C2S connections on port 5222 to 'domainy.com' if the user is from 'domainy.com'. As you can see, this is normal behaviour, not a restriction at all.I guess that you want:
Maybe filter_packet can be used to do this, but you must know it's a hook, not a configuration option. So, it's meant to be used to code filters into ejabberd, it's not a filter in itself.
One possible implementation: a new module that allows filtering packets by the sender's server and/or receiver's server. That module registers to that hook, and can be configured on ejabberd.cfg.
I think I'm going to need to
I think I'm going to need to write my own filter. Something that can basically strip out the XML and perform routing verification. I sense this is going to be a duanting task....
I've tried to implement this
I have made an attempt at implementing this, and attached it to . Comments and testing welcome...