From 898553c471a291ed43414d7f1b53cadfd1b83949 Mon Sep 17 00:00:00 2001
From: CodeShell <122738806+CodeShellDev@users.noreply.github.com>
Date: Thu, 8 Jan 2026 20:49:31 +0100
Subject: [PATCH] grand blocking overhaul
---
docs/configuration/endpoints.md | 17 ++++++++---------
docs/configuration/field-policies.md | 27 ++++++++++++++++++++++++++-
docs/configuration/ip-filters.md | 19 ++++++++++---------
docs/configuration/ratelimiting.md | 4 ++++
4 files changed, 48 insertions(+), 19 deletions(-)
diff --git a/docs/configuration/endpoints.md b/docs/configuration/endpoints.md
index e819b7fc..a07b0c4b 100644
--- a/docs/configuration/endpoints.md
+++ b/docs/configuration/endpoints.md
@@ -47,16 +47,15 @@ By default, adding an endpoint explicitly allows access to it, use `!` to block
## Behavior
-| Allow | Block | Result |
-| ---------- | -------------- | -------------------------------------------- |
-| `/v2/send` | — | **Only** `/v2/send` allowed |
-| — | `!/v1/receive` | **All** allowed **except** `/v1/receive` |
-| `/v2/send` | `!/v2/*` | `/v2*` allowed **except** `/v2/send` blocked |
+| Allow | Block | Result |
+| ---------- | -------------- | ----------------------------------------- |
+| `/v2/send` | — | **Only** `/v2/send` allowed |
+| — | `!/v1/receive` | **All** allowed, **except** `/v1/receive` |
+| `/v2/send` | `!/v2/*` | **Only** `/v2/send` allowed |
### Rules
- Default: **allow all**
-- Allow rules add explicit access
-- Block rules deny matching endpoints
-- Explicit allow overrides block
-- Mixed allow + block rules keep permissive default
+- Allow rules exist: default **block**
+- Only block rules exist: default **allow**
+- Explicit allow **overrides** block
diff --git a/docs/configuration/field-policies.md b/docs/configuration/field-policies.md
index de797640..39f2aee6 100644
--- a/docs/configuration/field-policies.md
+++ b/docs/configuration/field-policies.md
@@ -14,14 +14,39 @@ Configure them by using `access.fieldPolicies` like so:
settings:
access:
fieldPolicies:
- "@number": { value: "+123400002", action: block }
+ "@number":
+ - value: "+123400002"
+ action: block
+ - value: "+123400003"
+ action: allow
```
Set the wanted action on encounter, available options are `block` and `allow`.
+> [!TIP]
+> String fields always try to use regex matching, on compile error exact match is used as fallback
+
> [!NOTE]
> Supported [placeholder types](../usage/advanced#placeholders):
>
> | `.` Variables | `@` Body | `#` Headers |
> | ------------- | -------- | ----------- |
> | ❌ | ✅ | ✅ |
+
+## Behavior
+
+| Allow | Block | Result |
+| ------------------- | ----------------------- | --------------------------------------------------------------------------- |
+| `number=+123400003` | — | `number` may **only** be `+123400003` |
+| — | `number=+123400002` | `number` may **not** be `+123400002` |
+| `message=hello` | `number=+123400002` | `number` may **not** be `+123400002`
`message` may **only** be `hello` |
+| `number=+123400003` | `number=+12340000[2-9]` | `number` may **not** be `+123400002` through `9` **except** `123400003` |
+
+### Rules
+
+- **Field-scoped** (policies for `a` don't affect policies for `b`)
+
+* Default: **allow all**
+* Allow rules exist: default **block**
+* Only block rules exist: default **allow**
+* Explicit allow **overrides** block
diff --git a/docs/configuration/ip-filters.md b/docs/configuration/ip-filters.md
index edbf820c..eb55a35f 100644
--- a/docs/configuration/ip-filters.md
+++ b/docs/configuration/ip-filters.md
@@ -40,19 +40,20 @@ By default, adding an IP or range explicitly allows it, use `!` to block it inst
## Behavior
-| Allow | Block | Result |
-| -------------- | ------------------------ | ----------------------------------------- |
-| `192.168.1.10` | — | Only `192.168.1.10` allowed |
-| — | `!123.456.78.9` | All allowed, except `123.456.78.9` |
-| `10.0.0.0/24` | `!10.0.0.10` | `10.0.0.0/24` allowed, except `10.0.0.10` |
-| — | `!0.0.0.0/0`
`!::/0` | All IPv4 & IPv6 blocked |
+| Allow | Block | Result |
+| -------------- | ------------------------ | --------------------------------------------- |
+| `192.168.1.10` | — | **Only** `192.168.1.10` allowed |
+| — | `!123.456.78.9` | **All** allowed, **except** `123.456.78.9` |
+| `10.0.0.0/24` | `!10.0.0.10` | `10.0.0.0/24` allowed, **except** `10.0.0.10` |
+| — | `!0.0.0.0/0`
`!::/0` | All IPv4 & IPv6 blocked |
### Rules
- Default: **allow all**
-- Allow rules restrict access **only if no block rules exist**
-- Block rules deny matching IPs
-- Explicit allow overrides block
+- Allow rules exist: default **block**
+- Only block rules exist: default **allow**
+- Explicit allow **overrides** block
+
- IPv4 and IPv6 rules may be mixed
## Clients behind Proxies
diff --git a/docs/configuration/ratelimiting.md b/docs/configuration/ratelimiting.md
index ca13366f..d5b897bb 100644
--- a/docs/configuration/ratelimiting.md
+++ b/docs/configuration/ratelimiting.md
@@ -21,3 +21,7 @@ settings:
- `period`: The duration over which the limit is measured (supports Go duration format like `1m`, `10s`, `1h`)
When a request exceeds the configured rate limit the server responds with `429` `Too Many Requests`.
+
+> [!IMPORTANT]
+>
+> [Trusted clients](./trusted-ips.md) are allowed to bypass rate limits