aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--cmd/dendrite/main.go2
-rw-r--r--cmd/generate-config/main.go4
-rw-r--r--contrib/dendrite-demo-i2p/main.go2
-rw-r--r--contrib/dendrite-demo-tor/main.go2
-rw-r--r--dendrite-sample.yaml18
-rw-r--r--go.mod2
-rw-r--r--go.sum4
-rw-r--r--setup/base/base.go1
-rw-r--r--setup/config/config_federationapi.go18
9 files changed, 50 insertions, 3 deletions
diff --git a/cmd/dendrite/main.go b/cmd/dendrite/main.go
index da43432f..5badbda2 100644
--- a/cmd/dendrite/main.go
+++ b/cmd/dendrite/main.go
@@ -94,6 +94,8 @@ func main() {
dnsCache = fclient.NewDNSCache(
cfg.Global.DNSCache.CacheSize,
cfg.Global.DNSCache.CacheLifetime,
+ cfg.FederationAPI.AllowNetworkCIDRs,
+ cfg.FederationAPI.DenyNetworkCIDRs,
)
logrus.Infof(
"DNS cache enabled (size %d, lifetime %s)",
diff --git a/cmd/generate-config/main.go b/cmd/generate-config/main.go
index c6399ec5..63e1dde7 100644
--- a/cmd/generate-config/main.go
+++ b/cmd/generate-config/main.go
@@ -71,6 +71,10 @@ func main() {
cfg.ClientAPI.RateLimiting.Enabled = false
cfg.FederationAPI.DisableTLSValidation = false
cfg.FederationAPI.DisableHTTPKeepalives = true
+ // Allow allow networks when running in CI, as otherwise connections
+ // to other servers might be blocked when running Complement/Sytest.
+ cfg.FederationAPI.DenyNetworkCIDRs = []string{}
+ cfg.FederationAPI.AllowNetworkCIDRs = []string{}
// don't hit matrix.org when running tests!!!
cfg.FederationAPI.KeyPerspectives = config.KeyPerspectives{}
cfg.MediaAPI.BasePath = config.Path(filepath.Join(*dirPath, "media"))
diff --git a/contrib/dendrite-demo-i2p/main.go b/contrib/dendrite-demo-i2p/main.go
index 27f69acb..139edacc 100644
--- a/contrib/dendrite-demo-i2p/main.go
+++ b/contrib/dendrite-demo-i2p/main.go
@@ -70,6 +70,8 @@ func main() {
dnsCache = fclient.NewDNSCache(
cfg.Global.DNSCache.CacheSize,
cfg.Global.DNSCache.CacheLifetime,
+ cfg.FederationAPI.AllowNetworkCIDRs,
+ cfg.FederationAPI.DenyNetworkCIDRs,
)
logrus.Infof(
"DNS cache enabled (size %d, lifetime %s)",
diff --git a/contrib/dendrite-demo-tor/main.go b/contrib/dendrite-demo-tor/main.go
index 132b557f..ab32e1db 100644
--- a/contrib/dendrite-demo-tor/main.go
+++ b/contrib/dendrite-demo-tor/main.go
@@ -65,6 +65,8 @@ func main() {
dnsCache = fclient.NewDNSCache(
cfg.Global.DNSCache.CacheSize,
cfg.Global.DNSCache.CacheLifetime,
+ cfg.FederationAPI.AllowNetworkCIDRs,
+ cfg.FederationAPI.DenyNetworkCIDRs,
)
logrus.Infof(
"DNS cache enabled (size %d, lifetime %s)",
diff --git a/dendrite-sample.yaml b/dendrite-sample.yaml
index 0ee381f0..2afdc33f 100644
--- a/dendrite-sample.yaml
+++ b/dendrite-sample.yaml
@@ -254,6 +254,24 @@ federation_api:
# last resort.
prefer_direct_fetch: false
+ # deny_networks and allow_networks are the CIDR ranges used to prevent requests
+ # from accessing private IPs. If your system has specific IPs it should never
+ # contact, add them here with CIDR notation.
+ #
+ # The deny list is checked before the allow list.
+ deny_networks:
+ - "127.0.0.1/8"
+ - "10.0.0.0/8"
+ - "172.16.0.0/12"
+ - "192.168.0.0/16"
+ - "100.64.0.0/10"
+ - "169.254.0.0/16"
+ - "::1/128"
+ - "fe80::/64"
+ - "fc00::/7"
+ allow_networks:
+ - "0.0.0.0/0" # "Everything". The deny list will help limit this.
+
# Configuration for the Media API.
media_api:
# Storage path for uploaded media. May be relative or absolute.
diff --git a/go.mod b/go.mod
index 04453125..36463adb 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
github.com/matrix-org/dugong v0.0.0-20210921133753-66e6b1c67e2e
github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530
- github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8
+ github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7
github.com/matrix-org/util v0.0.0-20221111132719-399730281e66
github.com/mattn/go-sqlite3 v1.14.24
diff --git a/go.sum b/go.sum
index ff0bbeb3..5d2612d3 100644
--- a/go.sum
+++ b/go.sum
@@ -232,8 +232,8 @@ github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91 h1:s7fexw
github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91/go.mod h1:e+cg2q7C7yE5QnAXgzo512tgFh1RbQLC0+jozuegKgo=
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U=
github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530/go.mod h1:/gBX06Kw0exX1HrwmoBibFA98yBk/jxKpGVeyQbff+s=
-github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8 h1:nC998SaawQwbZ16/V70Pil3pY3rSQwTaeLOpHWp7ZTo=
-github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os=
+github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d h1:c3Dkci0GDH/6cGGt8zGIiJMP+UOdtX0DPY6dxiJvtZM=
+github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os=
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7 h1:6t8kJr8i1/1I5nNttw6nn1ryQJgzVlBmSGgPiiaTdw4=
github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7/go.mod h1:ReWMS/LoVnOiRAdq9sNUC2NZnd1mZkMNB52QhpTRWjg=
github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 h1:6z4KxomXSIGWqhHcfzExgkH3Z3UkIXry4ibJS4Aqz2Y=
diff --git a/setup/base/base.go b/setup/base/base.go
index 359a6816..ffc2be37 100644
--- a/setup/base/base.go
+++ b/setup/base/base.go
@@ -82,6 +82,7 @@ func CreateFederationClient(cfg *config.Dendrite, dnsCache *fclient.DNSCache) fc
fclient.WithSkipVerify(cfg.FederationAPI.DisableTLSValidation),
fclient.WithKeepAlives(!cfg.FederationAPI.DisableHTTPKeepalives),
fclient.WithUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString())),
+ fclient.WithAllowDenyNetworks(cfg.FederationAPI.AllowNetworkCIDRs, cfg.FederationAPI.DenyNetworkCIDRs),
}
if cfg.Global.DNSCache.Enabled {
opts = append(opts, fclient.WithDNSCache(dnsCache))
diff --git a/setup/config/config_federationapi.go b/setup/config/config_federationapi.go
index 073c46e0..ed417a74 100644
--- a/setup/config/config_federationapi.go
+++ b/setup/config/config_federationapi.go
@@ -46,6 +46,10 @@ type FederationAPI struct {
// Should we prefer direct key fetches over perspective ones?
PreferDirectFetch bool `yaml:"prefer_direct_fetch"`
+
+ // Deny/Allow lists used for restricting request scopes.
+ DenyNetworkCIDRs []string `yaml:"deny_networks"`
+ AllowNetworkCIDRs []string `yaml:"allow_networks"`
}
func (c *FederationAPI) Defaults(opts DefaultOpts) {
@@ -53,6 +57,20 @@ func (c *FederationAPI) Defaults(opts DefaultOpts) {
c.P2PFederationRetriesUntilAssumedOffline = 1
c.DisableTLSValidation = false
c.DisableHTTPKeepalives = false
+ c.DenyNetworkCIDRs = []string{
+ "127.0.0.1/8",
+ "10.0.0.0/8",
+ "172.16.0.0/12",
+ "192.168.0.0/16",
+ "100.64.0.0/10",
+ "169.254.0.0/16",
+ "::1/128",
+ "fe80::/64",
+ "fc00::/7",
+ }
+ c.AllowNetworkCIDRs = []string{
+ "0.0.0.0/0",
+ }
if opts.Generate {
c.KeyPerspectives = KeyPerspectives{
{
generated by cgit v1.2.3 (git 2.26.2) at 2025-03-19 11:39:36 +0000