diff options
| author | Travis Ralston <travisr@matrix.org> | 2025-01-16 11:35:50 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-16 19:35:50 +0100 |
| commit | e9cc37ac52ff1611ddf055a95e65869806041038 (patch) | |
| tree | 34026f77a95248d3cd8f920426f6855d44e35c06 /setup | |
| parent | 4fb83354ca37c53e33b58dc5aa318a996cf8bd61 (diff) | |
Merge commit from fork
* Support configuring allow/deny networks
* Make the DNS cache aware of the allow/deny networks
* Allow all networks in CI
* Update GMSL
* Add missed file
---------
Co-authored-by: Till Faelligen <2353100+S7evinK@users.noreply.github.com>
Diffstat (limited to 'setup')
| -rw-r--r-- | setup/base/base.go | 1 | ||||
| -rw-r--r-- | setup/config/config_federationapi.go | 18 |
2 files changed, 19 insertions, 0 deletions
diff --git a/setup/base/base.go b/setup/base/base.go index 359a6816..ffc2be37 100644 --- a/setup/base/base.go +++ b/setup/base/base.go @@ -82,6 +82,7 @@ func CreateFederationClient(cfg *config.Dendrite, dnsCache *fclient.DNSCache) fc fclient.WithSkipVerify(cfg.FederationAPI.DisableTLSValidation), fclient.WithKeepAlives(!cfg.FederationAPI.DisableHTTPKeepalives), fclient.WithUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString())), + fclient.WithAllowDenyNetworks(cfg.FederationAPI.AllowNetworkCIDRs, cfg.FederationAPI.DenyNetworkCIDRs), } if cfg.Global.DNSCache.Enabled { opts = append(opts, fclient.WithDNSCache(dnsCache)) diff --git a/setup/config/config_federationapi.go b/setup/config/config_federationapi.go index 073c46e0..ed417a74 100644 --- a/setup/config/config_federationapi.go +++ b/setup/config/config_federationapi.go @@ -46,6 +46,10 @@ type FederationAPI struct { // Should we prefer direct key fetches over perspective ones? PreferDirectFetch bool `yaml:"prefer_direct_fetch"` + + // Deny/Allow lists used for restricting request scopes. + DenyNetworkCIDRs []string `yaml:"deny_networks"` + AllowNetworkCIDRs []string `yaml:"allow_networks"` } func (c *FederationAPI) Defaults(opts DefaultOpts) { @@ -53,6 +57,20 @@ func (c *FederationAPI) Defaults(opts DefaultOpts) { c.P2PFederationRetriesUntilAssumedOffline = 1 c.DisableTLSValidation = false c.DisableHTTPKeepalives = false + c.DenyNetworkCIDRs = []string{ + "127.0.0.1/8", + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + "100.64.0.0/10", + "169.254.0.0/16", + "::1/128", + "fe80::/64", + "fc00::/7", + } + c.AllowNetworkCIDRs = []string{ + "0.0.0.0/0", + } if opts.Generate { c.KeyPerspectives = KeyPerspectives{ { |