mod-match — format of mod-match component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the mod-match component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in mod-match configuration directives:
data-match-action (name-usage obligatory)Types of action done for matching data.
passStarts passing the received data. Continues executing other tests.
acceptAccepts the data and stops further scanning, regardless of any tests specified as REQUIRE. No more tests are executed.
denyDoes not pass any data, immediately stops processing and commands the proxy to report an error. No more tests are executed.
requireRequires matching data to appear in the data stream. If scanning reaches the end of data or maximum size of scanned data without a match, the module stops processing, does not pass any data and commands the proxy to report an error. Continues to following tests even after a match.
html-saveInterprets data as HTML form data inapplication/x-www-form-urlencoded encoding and saves the values of controls with matching names in a text file.
html-hashInterprets data as HTML form data and saves hashes of values of controls with matching names in a database file.
html-alertInterprets data as HTML form data and checks whether any controls have values corresponding to hashes stored by some HTML-HASH action. If the check succeeds, logs alert and optionally does not pass any data, stops processing and commands the proxy to report an error. No more tests are executed.
html-replaceInterprets data as HTML form data and replaces selected controls values with values computed from it using a lookup table.
html-replace-radiusExtension to HTML-REPLACE: password contains a combination of internal password and radius pasword. Radius authentication is performed before the lookup is done.
Configuration of mod-match library component consists of following prototypes:
* data-match name { ... }
data-match name {
max-size ... ;
init-match ... ;
max-match ... ;
step-size ... ;
step-match ... ;
* test ... ;
}
Matching data trasferred by a proxy. Data are passed further by the module only if they pass the specified TESTs.
max-size [bytes];The module performs the last matching attempt after reading this amount of data (or after it reaches end of data). The module then generates the final decision about the scanned data and terminates its operation. It does not process following data.
bytes (type: uint32, optional, default: 512)init-match [bytes];The module performs PASS tests within this amount of received data. No more PASS tests are executed afterwards.
bytes (type: uint32, optional, default: 0)max-match [bytes];The maximum length of the matching piece of data. The module keeps this amount of data in the input buffer.
bytes (type: uint32, optional, default: 0)step-size bytes;Until the module's operation terminates, matching is repeated each time STEP-SIZE additional bytes are read or STEP-MATCH matches. If STEP-MATCH is not specified, the default value of STEP-SIZE is 1 byte. Otherwise, if STEP-SIZE is not set the default is to repeat matching according to STEP-MATCH.
bytes (type: uint32)step-match cond [back];Until the module's operation terminates, matching is repeated each time STEP-SIZE additional bytes are read or STEP-MATCH matches.
cond (type: str-set)Matching condition.
back (type: uint32, optional, default: 0)Match against so many bytes back in data read earlier plus any newly received data.
test pass match [match-data-mime];test accept match [match-data-mime];test deny match [match-data-mime];test require match [match-data-mime];test html-save match file [store-orig];test html-hash match file;test html-alert file [deny];test html-replace controls file [report-controls report-controls] [keep-not-found] [replace-not-found replace-not-found];test html-replace-radius controls file [report-controls report-controls] [keep-not-found] [replace-not-found replace-not-found] radius radius radius-delimiter radius-delimiter;A single matching test of transferred data.
data-match-action)Action done if data match.
match (type: str-set)Strings for matching.
match-data-mime (type: key, optional)Match the detected MIME type instead of the actual data.
controls (type: str-list)Selection of HTML form control names for replacement.
file (type: str)A data file.
report-controls report-controls (type: str-list, optional, default: <NULL>)Selection of HTML form control names for logging of values and passing to the executed programs.
store-orig (type: key, optional)Store also the original value before hashing. This may be a security threat if HTML-HASH/HTML-ALERT is used for sensitive data, like passwords.
deny (type: key, optional)Do not pass data if matched.
keep-not-found (type: key, optional)If set and replacement values are not found in the lookup table, pass the selected HTML form controls unchanged. Otherwise, values of the selected controls are deleted.
replace-not-found replace-not-found (type: str, optional, default: <NULL>)If set and replacement values are not found in the lookup table, replace values of the selected HTML form controls by this value.
radius radius (type: name of radius-client, see radius(5))Radius client configuration to be used for authentication. The first form control (see element CONTROLS) is implicitly used as an username. The second form control (see element CONTROLS) is implicitly used as a combination of its internal value and radius password (see element RADIUS-DELIMITER.
radius-delimiter radius-delimiter (type: str)A single character used as delimiter of the internal password and the radius password. Last occurence of the delimiter is used. If not present in the particular password, all the password text is interpreted as the radius password.
Only one of elements KEEP-NOT-FOUND and REPLACE-NOT-FOUND may be specified.
CONTROL must contain at least 2 items if HTML-REPLACE-RADIUS action is used..
[End of section data-match description.]