MXS-1346: Allow combination of function and columns rules

The `function` type rule can now be combined with the `columns` type rule to form a new rule which matches if specific columns use specific functions.
2017-09-05 09:20:55 +03:00
parent a955e4a623
commit 1fcf4ef59a
6 changed files with 113 additions and 4 deletions
--- a/Documentation/Filters/Database-Firewall-Filter.md
+++ b/Documentation/Filters/Database-Firewall-Filter.md
@ -104,11 +104,11 @@ logged. The log messages are logged at the notice level.
 The rules are defined by using the following syntax:

 ```
-rule NAME deny { wildcard | columns VALUE... |
-     regex REGEX | limit_queries COUNT TIMEPERIOD HOLDOFF |
-      no_where_clause} [at_times VALUE...] [on_queries [select|update|insert|delete|grant|revoke|drop|create|alter|use|load]]
+rule NAME deny RULE [at_times VALUE...] [on_queries {select|update|insert|delete|grant|revoke|drop|create|alter|use|load}]
 ```

+Where _NAME_ is the identifier for this rule and _RULE_ is the mandatory rule definition.
+
 Rules are identified by their name and have mandatory parts and optional parts.
 You can add comments to the rule files by adding the `#` character at
 the beginning of the line. Trailing comments are not supported.
@ -197,6 +197,20 @@ Deny function usage with _name_ and _address_ columns:
 rule examplerule deny uses_function name address
 ```

+#### `function` and `columns`
+
+This rule combines the `function` and `columns` type rules to match if one
+of the listed columns uses one of the listed functions. The rule expects
+the `function` and `columns` keywords both followed by a list of values.
+
+##### Example
+
+Deny use of the _sum_ function with _name_ or _address_ columns:
+
+```
+rule examplerule deny function sum columns name address
+```
+
 #### `regex`

 This rule blocks all queries matching a regex enclosed in single or double