summary refs log tree commit diff
path: root/synapse
diff options
context:
space:
mode:
authorMichael Kutzner <65556178+mikure@users.noreply.github.com>2021-06-15 09:53:55 +0200
committerGitHub <noreply@github.com>2021-06-15 08:53:55 +0100
commitaac2c49b9b8a241f7a13726cfa74bf3a67c9079f (patch)
tree920191d52391196fe9bf672ebeaf12909d01728e /synapse
parentRefactor `EventPersistenceQueue` (#10145) (diff)
downloadsynapse-aac2c49b9b8a241f7a13726cfa74bf3a67c9079f.tar.xz
Fix 'ip_range_whitelist' not working for federation servers (#10115)
Add 'federation_ip_range_whitelist'. This allows backwards-compatibility, If 'federation_ip_range_blacklist' is set. Otherwise 'ip_range_whitelist' will be used for federation servers.

Signed-off-by: Michael Kutzner 1mikure@gmail.com
Diffstat (limited to '')
-rw-r--r--synapse/config/server.py27
-rw-r--r--synapse/http/matrixfederationclient.py4
2 files changed, 18 insertions, 13 deletions
diff --git a/synapse/config/server.py b/synapse/config/server.py
index c290a35a92..0833a5f7bc 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -397,19 +397,22 @@ class ServerConfig(Config):
         self.ip_range_whitelist = generate_ip_set(
             config.get("ip_range_whitelist", ()), config_path=("ip_range_whitelist",)
         )
-
         # The federation_ip_range_blacklist is used for backwards-compatibility
-        # and only applies to federation and identity servers. If it is not given,
-        # default to ip_range_blacklist.
-        federation_ip_range_blacklist = config.get(
-            "federation_ip_range_blacklist", ip_range_blacklist
-        )
-        # Always blacklist 0.0.0.0, ::
-        self.federation_ip_range_blacklist = generate_ip_set(
-            federation_ip_range_blacklist,
-            ["0.0.0.0", "::"],
-            config_path=("federation_ip_range_blacklist",),
-        )
+        # and only applies to federation and identity servers.
+        if "federation_ip_range_blacklist" in config:
+            # Always blacklist 0.0.0.0, ::
+            self.federation_ip_range_blacklist = generate_ip_set(
+                config["federation_ip_range_blacklist"],
+                ["0.0.0.0", "::"],
+                config_path=("federation_ip_range_blacklist",),
+            )
+            # 'federation_ip_range_whitelist' was never a supported configuration option.
+            self.federation_ip_range_whitelist = None
+        else:
+            # No backwards-compatiblity requrired, as federation_ip_range_blacklist
+            # is not given. Default to ip_range_blacklist and ip_range_whitelist.
+            self.federation_ip_range_blacklist = self.ip_range_blacklist
+            self.federation_ip_range_whitelist = self.ip_range_whitelist
 
         # (undocumented) option for torturing the worker-mode replication a bit,
         # for testing. The value defines the number of milliseconds to pause before
diff --git a/synapse/http/matrixfederationclient.py b/synapse/http/matrixfederationclient.py
index 629373fc47..b8849c0150 100644
--- a/synapse/http/matrixfederationclient.py
+++ b/synapse/http/matrixfederationclient.py
@@ -318,7 +318,9 @@ class MatrixFederationHttpClient:
         # We need to use a DNS resolver which filters out blacklisted IP
         # addresses, to prevent DNS rebinding.
         self.reactor = BlacklistingReactorWrapper(
-            hs.get_reactor(), None, hs.config.federation_ip_range_blacklist
+            hs.get_reactor(),
+            hs.config.federation_ip_range_whitelist,
+            hs.config.federation_ip_range_blacklist,
         )  # type: ISynapseReactor
 
         user_agent = hs.version_string