From aac2c49b9b8a241f7a13726cfa74bf3a67c9079f Mon Sep 17 00:00:00 2001 From: Michael Kutzner <65556178+mikure@users.noreply.github.com> Date: Tue, 15 Jun 2021 09:53:55 +0200 Subject: [PATCH] Fix 'ip_range_whitelist' not working for federation servers (#10115) Add 'federation_ip_range_whitelist'. This allows backwards-compatibility, If 'federation_ip_range_blacklist' is set. Otherwise 'ip_range_whitelist' will be used for federation servers. Signed-off-by: Michael Kutzner 1mikure@gmail.com --- changelog.d/10115.bugfix | 1 + synapse/config/server.py | 27 ++++++++++++++------------ synapse/http/matrixfederationclient.py | 4 +++- 3 files changed, 19 insertions(+), 13 deletions(-) create mode 100644 changelog.d/10115.bugfix diff --git a/changelog.d/10115.bugfix b/changelog.d/10115.bugfix new file mode 100644 index 000000000..e16f356e6 --- /dev/null +++ b/changelog.d/10115.bugfix @@ -0,0 +1 @@ +Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure. diff --git a/synapse/config/server.py b/synapse/config/server.py index c290a35a9..0833a5f7b 100644 --- a/synapse/config/server.py +++ b/synapse/config/server.py @@ -397,19 +397,22 @@ class ServerConfig(Config): self.ip_range_whitelist = generate_ip_set( config.get("ip_range_whitelist", ()), config_path=("ip_range_whitelist",) ) - # The federation_ip_range_blacklist is used for backwards-compatibility - # and only applies to federation and identity servers. If it is not given, - # default to ip_range_blacklist. - federation_ip_range_blacklist = config.get( - "federation_ip_range_blacklist", ip_range_blacklist - ) - # Always blacklist 0.0.0.0, :: - self.federation_ip_range_blacklist = generate_ip_set( - federation_ip_range_blacklist, - ["0.0.0.0", "::"], - config_path=("federation_ip_range_blacklist",), - ) + # and only applies to federation and identity servers. + if "federation_ip_range_blacklist" in config: + # Always blacklist 0.0.0.0, :: + self.federation_ip_range_blacklist = generate_ip_set( + config["federation_ip_range_blacklist"], + ["0.0.0.0", "::"], + config_path=("federation_ip_range_blacklist",), + ) + # 'federation_ip_range_whitelist' was never a supported configuration option. + self.federation_ip_range_whitelist = None + else: + # No backwards-compatiblity requrired, as federation_ip_range_blacklist + # is not given. Default to ip_range_blacklist and ip_range_whitelist. + self.federation_ip_range_blacklist = self.ip_range_blacklist + self.federation_ip_range_whitelist = self.ip_range_whitelist # (undocumented) option for torturing the worker-mode replication a bit, # for testing. The value defines the number of milliseconds to pause before diff --git a/synapse/http/matrixfederationclient.py b/synapse/http/matrixfederationclient.py index 629373fc4..b8849c015 100644 --- a/synapse/http/matrixfederationclient.py +++ b/synapse/http/matrixfederationclient.py @@ -318,7 +318,9 @@ class MatrixFederationHttpClient: # We need to use a DNS resolver which filters out blacklisted IP # addresses, to prevent DNS rebinding. self.reactor = BlacklistingReactorWrapper( - hs.get_reactor(), None, hs.config.federation_ip_range_blacklist + hs.get_reactor(), + hs.config.federation_ip_range_whitelist, + hs.config.federation_ip_range_blacklist, ) # type: ISynapseReactor user_agent = hs.version_string