屏蔽词功能ok

admin_blocking_routes.go

@@ -30,7 +30,14 @@ type forbiddenWordBlockingRequest struct {
 	Enabled       bool   `json:"enabled"`
 }
 
-func registerAdminBlockingRoutes(r gin.IRouter, store *store) {
+func registerAdminBlockingRoutes(r gin.IRouter, store *store, blocking *blockingCache) {
+	reloadBlocking := func() error {
+		if blocking == nil {
+			return nil
+		}
+		return blocking.Reload(store)
+	}
+
 	r.GET("/blocking/nodes", func(c *gin.Context) {
 		opts, ok := parseListOptions(c)
 		if !ok {
@@ -51,7 +58,7 @@ func registerAdminBlockingRoutes(r gin.IRouter, store *store) {
 			return
 		}
 		row, err := store.CreateNodeBlocking(req.NodeID, req.NodeNum, req.Reason, req.Enabled)
-		writeBlockingMutationResponse(c, http.StatusCreated, row, err, nodeBlockingDTO)
+		writeBlockingMutationResponse(c, http.StatusCreated, row, err, nodeBlockingDTO, reloadBlocking)
 	})
 	r.PUT("/blocking/nodes/:id", func(c *gin.Context) {
 		id, ok := parseBlockingID(c)
@@ -64,14 +71,14 @@ func registerAdminBlockingRoutes(r gin.IRouter, store *store) {
 			return
 		}
 		row, err := store.UpdateNodeBlocking(id, req.NodeID, req.NodeNum, req.Reason, req.Enabled)
-		writeBlockingMutationResponse(c, http.StatusOK, row, err, nodeBlockingDTO)
+		writeBlockingMutationResponse(c, http.StatusOK, row, err, nodeBlockingDTO, reloadBlocking)
 	})
 	r.DELETE("/blocking/nodes/:id", func(c *gin.Context) {
 		id, ok := parseBlockingID(c)
 		if !ok {
 			return
 		}
-		writeBlockingDeleteResponse(c, store.DeleteNodeBlocking(id))
+		writeBlockingDeleteResponse(c, store.DeleteNodeBlocking(id), reloadBlocking)
 	})
 
 	r.GET("/blocking/ips", func(c *gin.Context) {
@@ -94,7 +101,7 @@ func registerAdminBlockingRoutes(r gin.IRouter, store *store) {
 			return
 		}
 		row, err := store.CreateIPBlocking(req.IPValue, req.Reason, req.Enabled)
-		writeBlockingMutationResponse(c, http.StatusCreated, row, err, ipBlockingDTO)
+		writeBlockingMutationResponse(c, http.StatusCreated, row, err, ipBlockingDTO, reloadBlocking)
 	})
 	r.PUT("/blocking/ips/:id", func(c *gin.Context) {
 		id, ok := parseBlockingID(c)
@@ -107,14 +114,14 @@ func registerAdminBlockingRoutes(r gin.IRouter, store *store) {
 			return
 		}
 		row, err := store.UpdateIPBlocking(id, req.IPValue, req.Reason, req.Enabled)
-		writeBlockingMutationResponse(c, http.StatusOK, row, err, ipBlockingDTO)
+		writeBlockingMutationResponse(c, http.StatusOK, row, err, ipBlockingDTO, reloadBlocking)
 	})
 	r.DELETE("/blocking/ips/:id", func(c *gin.Context) {
 		id, ok := parseBlockingID(c)
 		if !ok {
 			return
 		}
-		writeBlockingDeleteResponse(c, store.DeleteIPBlocking(id))
+		writeBlockingDeleteResponse(c, store.DeleteIPBlocking(id), reloadBlocking)
 	})
 
 	r.GET("/blocking/words", func(c *gin.Context) {
@@ -137,7 +144,7 @@ func registerAdminBlockingRoutes(r gin.IRouter, store *store) {
 			return
 		}
 		row, err := store.CreateForbiddenWordBlocking(req.Word, req.MatchType, req.CaseSensitive, req.Reason, req.Enabled)
-		writeBlockingMutationResponse(c, http.StatusCreated, row, err, forbiddenWordBlockingDTO)
+		writeBlockingMutationResponse(c, http.StatusCreated, row, err, forbiddenWordBlockingDTO, reloadBlocking)
 	})
 	r.PUT("/blocking/words/:id", func(c *gin.Context) {
 		id, ok := parseBlockingID(c)
@@ -150,14 +157,14 @@ func registerAdminBlockingRoutes(r gin.IRouter, store *store) {
 			return
 		}
 		row, err := store.UpdateForbiddenWordBlocking(id, req.Word, req.MatchType, req.CaseSensitive, req.Reason, req.Enabled)
-		writeBlockingMutationResponse(c, http.StatusOK, row, err, forbiddenWordBlockingDTO)
+		writeBlockingMutationResponse(c, http.StatusOK, row, err, forbiddenWordBlockingDTO, reloadBlocking)
 	})
 	r.DELETE("/blocking/words/:id", func(c *gin.Context) {
 		id, ok := parseBlockingID(c)
 		if !ok {
 			return
 		}
-		writeBlockingDeleteResponse(c, store.DeleteForbiddenWordBlocking(id))
+		writeBlockingDeleteResponse(c, store.DeleteForbiddenWordBlocking(id), reloadBlocking)
 	})
 }
 
@@ -170,7 +177,7 @@ func parseBlockingID(c *gin.Context) (uint64, bool) {
 	return id, true
 }
 
-func writeBlockingMutationResponse[T any](c *gin.Context, status int, row *T, err error, convert func(T) gin.H) {
+func writeBlockingMutationResponse[T any](c *gin.Context, status int, row *T, err error, convert func(T) gin.H, afterSuccess func() error) {
 	if errors.Is(err, errBlockingAlreadyExists) {
 		c.JSON(http.StatusConflict, gin.H{"error": "blocking rule already exists"})
 		return
@@ -183,10 +190,16 @@ func writeBlockingMutationResponse[T any](c *gin.Context, status int, row *T, er
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
+	if afterSuccess != nil {
+		if err := afterSuccess(); err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "blocking rule saved but cache reload failed: " + err.Error()})
+			return
+		}
+	}
 	c.JSON(status, gin.H{"item": convert(*row)})
 }
 
-func writeBlockingDeleteResponse(c *gin.Context, err error) {
+func writeBlockingDeleteResponse(c *gin.Context, err error, afterSuccess func() error) {
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		c.JSON(http.StatusNotFound, gin.H{"error": "blocking rule not found"})
 		return
@@ -195,6 +208,12 @@ func writeBlockingDeleteResponse(c *gin.Context, err error) {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
+	if afterSuccess != nil {
+		if err := afterSuccess(); err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "blocking rule deleted but cache reload failed: " + err.Error()})
+			return
+		}
+	}
 	c.JSON(http.StatusOK, gin.H{"status": "ok"})
 }
 

blocking_cache.go

@@ -0,0 +1,212 @@
+package main
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"strings"
+	"sync"
+)
+
+type blockingCache struct {
+	mu       sync.RWMutex
+	nodes    map[string]struct{}
+	nodeNums map[int64]struct{}
+	ips      map[string]struct{}
+	cidrs    []*net.IPNet
+	words    []forbiddenWordRule
+}
+
+type forbiddenWordRule struct {
+	word          string
+	foldedWord    string
+	matchType     string
+	caseSensitive bool
+}
+
+func newBlockingCache(store *store) (*blockingCache, error) {
+	cache := &blockingCache{}
+	if err := cache.Reload(store); err != nil {
+		return nil, err
+	}
+	return cache, nil
+}
+
+func (c *blockingCache) Reload(store *store) error {
+	if store == nil {
+		return fmt.Errorf("store is required")
+	}
+
+	nodeRows, err := store.ListEnabledNodeBlocking()
+	if err != nil {
+		return err
+	}
+	ipRows, err := store.ListEnabledIPBlocking()
+	if err != nil {
+		return err
+	}
+	wordRows, err := store.ListEnabledForbiddenWordBlocking()
+	if err != nil {
+		return err
+	}
+
+	nodes := make(map[string]struct{}, len(nodeRows))
+	nodeNums := make(map[int64]struct{}, len(nodeRows))
+	for _, row := range nodeRows {
+		nodeID := strings.TrimSpace(row.NodeID)
+		if nodeID != "" {
+			nodes[nodeID] = struct{}{}
+		}
+		if row.NodeNum != nil {
+			nodeNums[*row.NodeNum] = struct{}{}
+		}
+	}
+
+	ips := make(map[string]struct{}, len(ipRows))
+	cidrs := make([]*net.IPNet, 0, len(ipRows))
+	for _, row := range ipRows {
+		value := strings.TrimSpace(row.IPValue)
+		if value == "" {
+			continue
+		}
+		if ip := net.ParseIP(value); ip != nil {
+			ips[ip.String()] = struct{}{}
+			continue
+		}
+		if _, ipNet, err := net.ParseCIDR(value); err == nil {
+			cidrs = append(cidrs, ipNet)
+		}
+	}
+
+	words := make([]forbiddenWordRule, 0, len(wordRows))
+	for _, row := range wordRows {
+		word := strings.TrimSpace(row.Word)
+		if word == "" || row.MatchType != forbiddenWordMatchContains {
+			continue
+		}
+		words = append(words, forbiddenWordRule{word: word, foldedWord: strings.ToLower(word), matchType: row.MatchType, caseSensitive: row.CaseSensitive})
+	}
+
+	c.mu.Lock()
+	c.nodes = nodes
+	c.nodeNums = nodeNums
+	c.ips = ips
+	c.cidrs = cidrs
+	c.words = words
+	c.mu.Unlock()
+	return nil
+}
+
+func (c *blockingCache) IsNodeBlocked(nodeID any, nodeNum any) bool {
+	if c == nil {
+		return false
+	}
+	id, _ := nodeID.(string)
+	num, hasNum := blockingInt64FromAny(nodeNum)
+
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	if id != "" {
+		if _, ok := c.nodes[id]; ok {
+			return true
+		}
+	}
+	if hasNum {
+		_, ok := c.nodeNums[num]
+		return ok
+	}
+	return false
+}
+
+func (c *blockingCache) IsIPBlocked(host string) bool {
+	if c == nil {
+		return false
+	}
+	host = strings.TrimSpace(host)
+	if host == "" {
+		return false
+	}
+	ip := net.ParseIP(host)
+	if ip == nil {
+		return false
+	}
+
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	if _, ok := c.ips[ip.String()]; ok {
+		return true
+	}
+	for _, ipNet := range c.cidrs {
+		if ipNet.Contains(ip) {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *blockingCache) FindForbiddenWord(text any) (string, bool) {
+	if c == nil {
+		return "", false
+	}
+	value, ok := text.(string)
+	if !ok || value == "" {
+		return "", false
+	}
+
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+	foldedText := ""
+	for _, rule := range c.words {
+		if rule.matchType != forbiddenWordMatchContains {
+			continue
+		}
+		if rule.caseSensitive {
+			if strings.Contains(value, rule.word) {
+				return rule.word, true
+			}
+			continue
+		}
+		if foldedText == "" {
+			foldedText = strings.ToLower(value)
+		}
+		if strings.Contains(foldedText, rule.foldedWord) {
+			return rule.word, true
+		}
+	}
+	return "", false
+}
+
+func blockingInt64FromAny(value any) (int64, bool) {
+	switch v := value.(type) {
+	case int:
+		return int64(v), true
+	case int8:
+		return int64(v), true
+	case int16:
+		return int64(v), true
+	case int32:
+		return int64(v), true
+	case int64:
+		return v, true
+	case uint:
+		return int64(v), true
+	case uint8:
+		return int64(v), true
+	case uint16:
+		return int64(v), true
+	case uint32:
+		return int64(v), true
+	case uint64:
+		if v > uint64(^uint64(0)>>1) {
+			return 0, false
+		}
+		return int64(v), true
+	case float64:
+		return int64(v), v == float64(int64(v))
+	case string:
+		n, err := strconv.ParseInt(strings.TrimSpace(v), 10, 64)
+		return n, err == nil
+	default:
+		return 0, false
+	}
+}

blocking_cache_test.go

@@ -0,0 +1,102 @@
+package main
+
+import "testing"
+
+func TestBlockingCacheLoadsEnabledRules(t *testing.T) {
+	st := openTestStore(t)
+	defer st.Close()
+
+	nodeNum := int64(305419896)
+	if _, err := st.CreateNodeBlocking("!12345678", &nodeNum, "enabled", true); err != nil {
+		t.Fatalf("CreateNodeBlocking(enabled) error = %v", err)
+	}
+	disabledNodeNum := int64(7)
+	if _, err := st.CreateNodeBlocking("!00000007", &disabledNodeNum, "disabled", false); err != nil {
+		t.Fatalf("CreateNodeBlocking(disabled) error = %v", err)
+	}
+	if _, err := st.CreateIPBlocking("192.168.1.0/24", "lan", true); err != nil {
+		t.Fatalf("CreateIPBlocking(cidr) error = %v", err)
+	}
+	if _, err := st.CreateIPBlocking("10.0.0.1", "disabled", false); err != nil {
+		t.Fatalf("CreateIPBlocking(disabled) error = %v", err)
+	}
+	if _, err := st.CreateForbiddenWordBlocking("spam", "contains", false, "enabled", true); err != nil {
+		t.Fatalf("CreateForbiddenWordBlocking(enabled) error = %v", err)
+	}
+	if _, err := st.CreateForbiddenWordBlocking("blocked", "contains", false, "disabled", false); err != nil {
+		t.Fatalf("CreateForbiddenWordBlocking(disabled) error = %v", err)
+	}
+
+	cache, err := newBlockingCache(st)
+	if err != nil {
+		t.Fatalf("newBlockingCache() error = %v", err)
+	}
+
+	if !cache.IsNodeBlocked("!12345678", nil) {
+		t.Fatal("IsNodeBlocked(enabled node id) = false, want true")
+	}
+	if !cache.IsNodeBlocked("", uint32(nodeNum)) {
+		t.Fatal("IsNodeBlocked(enabled node num) = false, want true")
+	}
+	if cache.IsNodeBlocked("!00000007", disabledNodeNum) {
+		t.Fatal("IsNodeBlocked(disabled node) = true, want false")
+	}
+	if !cache.IsIPBlocked("192.168.1.42") {
+		t.Fatal("IsIPBlocked(CIDR member) = false, want true")
+	}
+	if cache.IsIPBlocked("10.0.0.1") {
+		t.Fatal("IsIPBlocked(disabled IP) = true, want false")
+	}
+	if word, ok := cache.FindForbiddenWord("This is SPAM text"); !ok || word != "spam" {
+		t.Fatalf("FindForbiddenWord(case-insensitive) = %q, %v, want spam, true", word, ok)
+	}
+	if _, ok := cache.FindForbiddenWord("disabled blocked text"); ok {
+		t.Fatal("FindForbiddenWord(disabled word) = true, want false")
+	}
+}
+
+func TestBlockingCacheIPExactAndCIDR(t *testing.T) {
+	st := openTestStore(t)
+	defer st.Close()
+
+	if _, err := st.CreateIPBlocking("127.0.0.1", "loopback", true); err != nil {
+		t.Fatalf("CreateIPBlocking(ip) error = %v", err)
+	}
+	if _, err := st.CreateIPBlocking("2001:db8::/32", "docs", true); err != nil {
+		t.Fatalf("CreateIPBlocking(ipv6 cidr) error = %v", err)
+	}
+	cache, err := newBlockingCache(st)
+	if err != nil {
+		t.Fatalf("newBlockingCache() error = %v", err)
+	}
+
+	if !cache.IsIPBlocked("127.0.0.1") {
+		t.Fatal("IsIPBlocked(exact IPv4) = false, want true")
+	}
+	if !cache.IsIPBlocked("2001:db8::1") {
+		t.Fatal("IsIPBlocked(IPv6 CIDR) = false, want true")
+	}
+	if cache.IsIPBlocked("localhost") {
+		t.Fatal("IsIPBlocked(hostname) = true, want false")
+	}
+}
+
+func TestBlockingCacheForbiddenWordCaseSensitivity(t *testing.T) {
+	st := openTestStore(t)
+	defer st.Close()
+
+	if _, err := st.CreateForbiddenWordBlocking("Spam", "contains", true, "case-sensitive", true); err != nil {
+		t.Fatalf("CreateForbiddenWordBlocking(case-sensitive) error = %v", err)
+	}
+	cache, err := newBlockingCache(st)
+	if err != nil {
+		t.Fatalf("newBlockingCache() error = %v", err)
+	}
+
+	if _, ok := cache.FindForbiddenWord("lowercase spam"); ok {
+		t.Fatal("FindForbiddenWord(lowercase) = true, want false")
+	}
+	if word, ok := cache.FindForbiddenWord("contains Spam"); !ok || word != "Spam" {
+		t.Fatalf("FindForbiddenWord(exact case) = %q, %v, want Spam, true", word, ok)
+	}
+}

blocking_store.go

@@ -30,6 +30,11 @@ func (s *store) CountNodeBlocking(opts listOptions) (int64, error) {
 	return total, s.db.Model(&nodeBlockingRecord{}).Count(&total).Error
 }
 
+func (s *store) ListEnabledNodeBlocking() ([]nodeBlockingRecord, error) {
+	var rows []nodeBlockingRecord
+	return rows, s.db.Where("enabled = ?", true).Find(&rows).Error
+}
+
 func (s *store) CreateNodeBlocking(nodeID string, nodeNum *int64, reason string, enabled bool) (*nodeBlockingRecord, error) {
 	nodeID = strings.TrimSpace(nodeID)
 	if nodeID == "" {
@@ -93,6 +98,11 @@ func (s *store) CountIPBlocking(opts listOptions) (int64, error) {
 	return total, s.db.Model(&ipBlockingRecord{}).Count(&total).Error
 }
 
+func (s *store) ListEnabledIPBlocking() ([]ipBlockingRecord, error) {
+	var rows []ipBlockingRecord
+	return rows, s.db.Where("enabled = ?", true).Find(&rows).Error
+}
+
 func (s *store) CreateIPBlocking(ipValue string, reason string, enabled bool) (*ipBlockingRecord, error) {
 	value, err := normalizeIPBlockingValue(ipValue)
 	if err != nil {
@@ -156,6 +166,11 @@ func (s *store) CountForbiddenWordBlocking(opts listOptions) (int64, error) {
 	return total, s.db.Model(&forbiddenWordBlockingRecord{}).Count(&total).Error
 }
 
+func (s *store) ListEnabledForbiddenWordBlocking() ([]forbiddenWordBlockingRecord, error) {
+	var rows []forbiddenWordBlockingRecord
+	return rows, s.db.Where("enabled = ?", true).Find(&rows).Error
+}
+
 func (s *store) CreateForbiddenWordBlocking(word, matchType string, caseSensitive bool, reason string, enabled bool) (*forbiddenWordBlockingRecord, error) {
 	word = strings.TrimSpace(word)
 	if word == "" {

blocking_store_test.go

@@ -120,6 +120,42 @@ func TestIPBlockingCRUDAndValidation(t *testing.T) {
 	}
 }
 
+func TestListEnabledBlockingRules(t *testing.T) {
+	st := openTestStore(t)
+	defer st.Close()
+
+	nodeNum := int64(1)
+	if _, err := st.CreateNodeBlocking("!00000001", &nodeNum, "enabled", true); err != nil {
+		t.Fatalf("CreateNodeBlocking(enabled) error = %v", err)
+	}
+	if _, err := st.CreateNodeBlocking("!00000002", nil, "disabled", false); err != nil {
+		t.Fatalf("CreateNodeBlocking(disabled) error = %v", err)
+	}
+	if rows, err := st.ListEnabledNodeBlocking(); err != nil || len(rows) != 1 || rows[0].NodeID != "!00000001" {
+		t.Fatalf("ListEnabledNodeBlocking() = %+v, %v, want only enabled node", rows, err)
+	}
+
+	if _, err := st.CreateIPBlocking("127.0.0.1", "enabled", true); err != nil {
+		t.Fatalf("CreateIPBlocking(enabled) error = %v", err)
+	}
+	if _, err := st.CreateIPBlocking("192.168.1.1", "disabled", false); err != nil {
+		t.Fatalf("CreateIPBlocking(disabled) error = %v", err)
+	}
+	if rows, err := st.ListEnabledIPBlocking(); err != nil || len(rows) != 1 || rows[0].IPValue != "127.0.0.1" {
+		t.Fatalf("ListEnabledIPBlocking() = %+v, %v, want only enabled IP", rows, err)
+	}
+
+	if _, err := st.CreateForbiddenWordBlocking("spam", "contains", false, "enabled", true); err != nil {
+		t.Fatalf("CreateForbiddenWordBlocking(enabled) error = %v", err)
+	}
+	if _, err := st.CreateForbiddenWordBlocking("eggs", "contains", false, "disabled", false); err != nil {
+		t.Fatalf("CreateForbiddenWordBlocking(disabled) error = %v", err)
+	}
+	if rows, err := st.ListEnabledForbiddenWordBlocking(); err != nil || len(rows) != 1 || rows[0].Word != "spam" {
+		t.Fatalf("ListEnabledForbiddenWordBlocking() = %+v, %v, want only enabled word", rows, err)
+	}
+}
+
 func TestForbiddenWordBlockingCRUDAndValidation(t *testing.T) {
 	st := openTestStore(t)
 	defer st.Close()

main.go

@@ -34,9 +34,10 @@ const (
 
 type meshtasticFilterHook struct {
 	mqtt.HookBase
-	key   []byte
+	key      []byte
-	store *store
+	store    *store
-	stats *meshtasticMessageStats
+	stats    *meshtasticMessageStats
+	blocking *blockingCache
 }
 
 // ID 返回用于识别 Meshtastic payload 过滤器的 hook 名称。
@@ -46,19 +47,31 @@ func (h *meshtasticFilterHook) ID() string {
 
 // Provides 声明该 hook 只处理客户端发布消息。
 func (h *meshtasticFilterHook) Provides(b byte) bool {
-	return b == mqtt.OnPublish
+	return b == mqtt.OnConnect || b == mqtt.OnPublish
+}
+
+// OnConnect 在 MQTT 会话建立前拒绝命中 IP 屏蔽表的客户端。
+func (h *meshtasticFilterHook) OnConnect(cl *mqtt.Client, pk packets.Packet) error {
+	info := mqttClientInfoFromClient(cl)
+	if h.blocking != nil && h.blocking.IsIPBlocked(info.RemoteHost) {
+		printJSON(map[string]any{"event": "mqtt_client_rejected", "reason": "blocked_ip", "client_id": info.ClientID, "remote_addr": info.RemoteAddr, "remote_host": info.RemoteHost})
+		return packets.ErrNotAuthorized
+	}
+	return nil
 }
 
 // OnPublish 在 broker 转发消息前校验 payload；无效消息会被拒绝并丢弃。
 func (h *meshtasticFilterHook) OnPublish(cl *mqtt.Client, pk packets.Packet) (packets.Packet, error) {
 	valid, _, record := mqtpp.MQTTPP(pk.TopicName, pk.Payload, h.key)
 	if !valid {
-		h.stats.IncDropped()
+		h.rejectPublish(cl, pk, record)
-		if h.store != nil {
+		return pk, packets.ErrRejectPacket
-			if err := h.store.InsertDiscardDetails(record, pk.Payload, mqttClientInfoFromClient(cl)); err != nil {
+	}
-				printJSON(map[string]any{"event": "db_error", "type": "discard_details", "topic": pk.TopicName, "error": err.Error()})
+	if violation := blockingViolationForRecord(h.blocking, record); violation != nil {
-			}
+		for key, value := range violation {
+			record[key] = value
 		}
+		h.rejectPublish(cl, pk, record)
 		return pk, packets.ErrRejectPacket
 	}
 	h.stats.IncForwarded()
@@ -113,6 +126,39 @@ func (h *meshtasticFilterHook) OnPublish(cl *mqtt.Client, pk packets.Packet) (pa
 	return pk, nil
 }
 
+func (h *meshtasticFilterHook) rejectPublish(cl *mqtt.Client, pk packets.Packet, record map[string]any) {
+	if h.stats != nil {
+		h.stats.IncDropped()
+	}
+	if h.store != nil {
+		if err := h.store.InsertDiscardDetails(record, pk.Payload, mqttClientInfoFromClient(cl)); err != nil {
+			printJSON(map[string]any{"event": "db_error", "type": "discard_details", "topic": pk.TopicName, "error": err.Error()})
+		}
+	}
+}
+
+func blockingViolationForRecord(blocking *blockingCache, record map[string]any) map[string]any {
+	if blocking == nil || record == nil {
+		return nil
+	}
+	if blocking.IsNodeBlocked(record["from"], record["from_num"]) {
+		return map[string]any{"error": "blocked node", "blocking_type": "node"}
+	}
+	var field string
+	switch record["type"] {
+	case "text_message":
+		field = "text"
+	case "nodeinfo", "map_report":
+		field = "long_name"
+	default:
+		return nil
+	}
+	if word, ok := blocking.FindForbiddenWord(record[field]); ok {
+		return map[string]any{"error": "forbidden word", "blocking_type": "forbidden_word", "blocking_field": field, "matched_word": word}
+	}
+	return nil
+}
+
 func mqttClientInfoFromClient(cl *mqtt.Client) mqttClientInfo {
 	if cl == nil {
 		return mqttClientInfo{}
@@ -201,8 +247,13 @@ func run(cfg *config) error {
 		return err
 	}
 
+	blocking, err := newBlockingCache(store)
+	if err != nil {
+		return err
+	}
+
 	messageStats := &meshtasticMessageStats{}
-	server, mqttAddr, err := startMQTTServer(cfg, store, messageStats)
+	server, mqttAddr, err := startMQTTServer(cfg, store, messageStats, blocking)
 	if err != nil {
 		return err
 	}
@@ -215,7 +266,7 @@ func run(cfg *config) error {
 			return err
 		}
 		mqttStatus := mqttRuntimeStatus{server: server, address: mqttAddr, tls: cfg.MQTT.TLS.Enabled, stats: messageStats}
-		httpServer = newHTTPServer(cfg.Web, store, sessions, mqttStatus)
+		httpServer = newHTTPServer(cfg.Web, store, sessions, mqttStatus, blocking)
 		go func() {
 			if err := httpServer.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
 				errCh <- err
@@ -246,12 +297,12 @@ func run(cfg *config) error {
 	return runErr
 }
 
-func startMQTTServer(cfg *config, store *store, stats *meshtasticMessageStats) (*mqtt.Server, string, error) {
+func startMQTTServer(cfg *config, store *store, stats *meshtasticMessageStats, blocking *blockingCache) (*mqtt.Server, string, error) {
 	server := mqtt.New(nil)
 	if err := server.AddHook(new(auth.AllowHook), nil); err != nil {
 		return nil, "", err
 	}
-	if err := server.AddHook(&meshtasticFilterHook{key: cfg.key, store: store, stats: stats}, nil); err != nil {
+	if err := server.AddHook(&meshtasticFilterHook{key: cfg.key, store: store, stats: stats, blocking: blocking}, nil); err != nil {
 		return nil, "", err
 	}
 

main_test.go

@@ -41,3 +41,42 @@ func TestMQTTClientInfoFromClientUnsplitRemote(t *testing.T) {
 		t.Fatalf("remote fields = %#v, want host localhost and empty port", info)
 	}
 }
+
+func TestBlockingViolationForRecordNode(t *testing.T) {
+	cache := &blockingCache{nodes: map[string]struct{}{"!12345678": {}}, nodeNums: map[int64]struct{}{}, ips: map[string]struct{}{}}
+	record := map[string]any{"type": "position", "from": "!12345678", "from_num": uint32(305419896)}
+
+	violation := blockingViolationForRecord(cache, record)
+	if violation == nil || violation["blocking_type"] != "node" {
+		t.Fatalf("blockingViolationForRecord() = %#v, want node violation", violation)
+	}
+}
+
+func TestBlockingViolationForRecordForbiddenWordFields(t *testing.T) {
+	cache := &blockingCache{nodes: map[string]struct{}{}, nodeNums: map[int64]struct{}{}, ips: map[string]struct{}{}, words: []forbiddenWordRule{{word: "spam", foldedWord: "spam", matchType: forbiddenWordMatchContains}}}
+
+	for _, tc := range []struct {
+		name   string
+		record map[string]any
+		field  string
+	}{
+		{name: "text", record: map[string]any{"type": "text_message", "from": "!1", "text": "has SPAM"}, field: "text"},
+		{name: "nodeinfo", record: map[string]any{"type": "nodeinfo", "from": "!1", "long_name": "has SPAM"}, field: "long_name"},
+		{name: "map_report", record: map[string]any{"type": "map_report", "from": "!1", "long_name": "has SPAM"}, field: "long_name"},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			violation := blockingViolationForRecord(cache, tc.record)
+			if violation == nil || violation["blocking_type"] != "forbidden_word" || violation["blocking_field"] != tc.field || violation["matched_word"] != "spam" {
+				t.Fatalf("blockingViolationForRecord() = %#v, want forbidden word on %s", violation, tc.field)
+			}
+		})
+	}
+}
+
+func TestBlockingViolationForRecordAllowed(t *testing.T) {
+	cache := &blockingCache{nodes: map[string]struct{}{}, nodeNums: map[int64]struct{}{}, ips: map[string]struct{}{}, words: []forbiddenWordRule{{word: "spam", foldedWord: "spam", matchType: forbiddenWordMatchContains}}}
+	record := map[string]any{"type": "text_message", "from": "!1", "text": "hello"}
+	if violation := blockingViolationForRecord(cache, record); violation != nil {
+		t.Fatalf("blockingViolationForRecord() = %#v, want nil", violation)
+	}
+}

web.go

@@ -14,19 +14,19 @@ import (
 	"gorm.io/gorm"
 )
 
-func newHTTPServer(cfg webConfig, store *store, sessions *sessionManager, mqttStatus mqttStatusProvider) *http.Server {
+func newHTTPServer(cfg webConfig, store *store, sessions *sessionManager, mqttStatus mqttStatusProvider, blocking *blockingCache) *http.Server {
 	return &http.Server{
 		Addr:    net.JoinHostPort(cfg.Host, strconv.Itoa(cfg.Port)),
-		Handler: newRouter(cfg, store, sessions, mqttStatus),
+		Handler: newRouter(cfg, store, sessions, mqttStatus, blocking),
 	}
 }
 
-func newRouter(cfg webConfig, store *store, sessions *sessionManager, mqttStatus mqttStatusProvider) *gin.Engine {
+func newRouter(cfg webConfig, store *store, sessions *sessionManager, mqttStatus mqttStatusProvider, blocking *blockingCache) *gin.Engine {
 	r := gin.New()
 	r.Use(gin.Logger(), gin.Recovery())
 	api := r.Group("/api")
 	registerAPIRoutes(api, store)
-	registerAdminRoutes(api.Group("/admin"), store, sessions, mqttStatus)
+	registerAdminRoutes(api.Group("/admin"), store, sessions, mqttStatus, blocking)
 	registerStaticRoutes(r, cfg.StaticDir)
 	return r
 }
@@ -96,7 +96,7 @@ func registerAPIRoutes(r gin.IRouter, store *store) {
 	})
 }
 
-func registerAdminRoutes(r gin.IRouter, store *store, sessions *sessionManager, mqttStatus mqttStatusProvider) {
+func registerAdminRoutes(r gin.IRouter, store *store, sessions *sessionManager, mqttStatus mqttStatusProvider, blocking *blockingCache) {
 	type loginRequest struct {
 		Username string `json:"username"`
 		Password string `json:"password"`
@@ -156,7 +156,7 @@ func registerAdminRoutes(r gin.IRouter, store *store, sessions *sessionManager,
 
 	protected := r.Group("")
 	protected.Use(requireAdmin(sessions))
-	registerAdminBlockingRoutes(protected, store)
+	registerAdminBlockingRoutes(protected, store, blocking)
 	protected.GET("/me", func(c *gin.Context) {
 		claims := c.MustGet("admin_claims").(*sessionClaims)
 		c.JSON(http.StatusOK, gin.H{"user": adminUserDTO{Username: claims.Username, Role: claims.Role}})