Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

ip_range_whitelist has no impact on federation client #9569

Closed
flumeware opened this issue Mar 9, 2021 · 5 comments · Fixed by #10115
Closed

ip_range_whitelist has no impact on federation client #9569

flumeware opened this issue Mar 9, 2021 · 5 comments · Fixed by #10115
Labels
good first issue Good for newcomers T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.

Comments

@flumeware
Copy link

Description

ip_range_whitelist does not affect federation ip blacklisting. I have an internal matrix server which cannot federate with other servers on the same network.

Steps to reproduce

  • Setup a homeserver using an internal ip address
  • Set ip_range_whitelist to include the other servers ip address
  • Attempt to federate with it

Relevant log entry

INFO - None - Dropped 10.x.x.x from DNS resolution to hs-name due to blacklist

Looking at the code the federation client is setup without passing an ip_whitelist to its DNS resolver. Only application services appears to at present use the ip_range_whitelist attribute.

Version information

  • Version: 1.29.0

  • Install method: debian package

  • Platform: debian
@clokep
Copy link
Member

clokep commented Mar 9, 2021

I think we weren't 100% sure how to handle it in light of the old federation_ip_range_blacklist option.

I think the right thing to do the following:

  • Set a federation_ip_range_whitelist value around here which is None if federation_ip_range_blacklist is defined, otherwise it gets set to ip_range_whitelist.
  • Update the code around here to pass in this federation_ip_range_whitelist value.

I think that will match the expected backwards compatibility.

@clokep clokep added good first issue Good for newcomers T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements. labels Mar 9, 2021
@anoadragon453
Copy link
Member

if federation_ip_range_blacklist is defined

This might be a bit unclear since federation_ip_range_blacklist falls back to ip_range_whitelist in the linked code. But you meant if federation_ip_range_blacklist is not specified in the config file, correct?

@clokep
Copy link
Member

clokep commented Mar 9, 2021

But you meant if federation_ip_range_blacklist is not specified in the config file, correct?

Sorry for the confusion...I mean if it is not defined in the config file, yes. 👍

@richvdh
Copy link
Member

richvdh commented Jun 7, 2021

This might be a bit unclear since federation_ip_range_blacklist falls back to ip_range_whitelist in the linked code

ITYM "federation_ip_range_blacklist falls back to ip_range_blacklist".

@anoadragon453
Copy link
Member

Oops, yep.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
good first issue Good for newcomers T-Enhancement New features, changes in functionality, improvements in performance, or user-facing enhancements.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants