diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index d59b4b4bf9..2dfe622ae9 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -102,7 +102,8 @@ pid_file: DATADIR/homeserver.pid # - syd.example.com # Prevent federation requests from being sent to the following -# blacklist IP address CIDR ranges. +# blacklist IP address CIDR ranges. If this option is not specified, or +# specified with an empty list, no ip range blacklist will be enforced. # #federation_ip_range_blacklist: # - '127.0.0.0/8' diff --git a/synapse/config/server.py b/synapse/config/server.py index 3b956a7e07..14e25a5dc4 100644 --- a/synapse/config/server.py +++ b/synapse/config/server.py @@ -17,6 +17,8 @@ import logging import os.path +from netaddr import IPSet + from synapse.http.endpoint import parse_and_validate_server_name from synapse.python_dependencies import DependencyException, check_requirements @@ -123,28 +125,19 @@ class ServerConfig(Config): self.federation_domain_whitelist[domain] = True self.federation_ip_range_blacklist = config.get( - "federation_ip_range_blacklist", None, + "federation_ip_range_blacklist", [], ) - if self.federation_ip_range_blacklist is not None: - # Import IPSet - try: - from netaddr import IPSet - except ImportError: - raise ConfigError( - "Missing netaddr library. This is required to use " - "federation_ip_range_blacklist" - ) - # Attempt to create an IPSet from the given ranges - try: - self.federation_ip_range_blacklist = IPSet( - self.federation_ip_range_blacklist - ) - except Exception as e: - raise ConfigError( - "Invalid range(s) provided in " - "federation_ip_range_blacklist: %s" % e - ) + # Attempt to create an IPSet from the given ranges + try: + self.federation_ip_range_blacklist = IPSet( + self.federation_ip_range_blacklist + ) + except Exception as e: + raise ConfigError( + "Invalid range(s) provided in " + "federation_ip_range_blacklist: %s" % e + ) if self.public_baseurl is not None: if self.public_baseurl[-1] != '/': @@ -376,7 +369,8 @@ class ServerConfig(Config): # - syd.example.com # Prevent federation requests from being sent to the following - # blacklist IP address CIDR ranges. + # blacklist IP address CIDR ranges. If this option is not specified, or + # specified with an empty list, no ip range blacklist will be enforced. # #federation_ip_range_blacklist: # - '127.0.0.0/8' diff --git a/synapse/http/matrixfederationclient.py b/synapse/http/matrixfederationclient.py index b5eb3be2ab..71685f4352 100644 --- a/synapse/http/matrixfederationclient.py +++ b/synapse/http/matrixfederationclient.py @@ -176,42 +176,35 @@ class MatrixFederationHttpClient(object): self.signing_key = hs.config.signing_key[0] self.server_name = hs.hostname - if hs.config.federation_ip_range_blacklist is not None: - real_reactor = hs.get_reactor() - # If we have an IP blacklist, we need to use a DNS resolver which - # filters out blacklisted IP addresses, to prevent DNS rebinding. - nameResolver = IPBlacklistingResolver( - real_reactor, None, hs.config.federation_ip_range_blacklist, - federation=True, - ) + real_reactor = hs.get_reactor() - @implementer(IReactorPluggableNameResolver) - class Reactor(object): - def __getattr__(_self, attr): - if attr == "nameResolver": - return nameResolver - else: - return getattr(real_reactor, attr) + # We need to use a DNS resolver which filters out blacklisted IP + # addresses, to prevent DNS rebinding. + nameResolver = IPBlacklistingResolver( + real_reactor, None, hs.config.federation_ip_range_blacklist, + federation=True, + ) - self.reactor = Reactor() + @implementer(IReactorPluggableNameResolver) + class Reactor(object): + def __getattr__(_self, attr): + if attr == "nameResolver": + return nameResolver + else: + return getattr(real_reactor, attr) - self.agent = MatrixFederationAgent( - self.reactor, - tls_client_options_factory, - ) + self.reactor = Reactor() - # Prevent direct connections to blacklisted IP addresses - self.agent = BlacklistingAgentWrapper( - self.agent, self.reactor, - ip_blacklist=hs.config.federation_ip_range_blacklist, - ) - else: - self.reactor = hs.get_reactor() + self.agent = MatrixFederationAgent( + self.reactor, + tls_client_options_factory, + ) - self.agent = MatrixFederationAgent( - self.reactor, - tls_client_options_factory, - ) + # Prevent direct connections to blacklisted IP addresses + self.agent = BlacklistingAgentWrapper( + self.agent, self.reactor, + ip_blacklist=hs.config.federation_ip_range_blacklist, + ) self.clock = hs.get_clock() self._store = hs.get_datastore() diff --git a/tests/http/test_fedclient.py b/tests/http/test_fedclient.py index ddf5f0730b..df4e5feadc 100644 --- a/tests/http/test_fedclient.py +++ b/tests/http/test_fedclient.py @@ -78,7 +78,7 @@ class FederationClientTests(HomeserverTestCase): # Nothing happened yet self.assertNoResult(test_d) - # Make sure the req is trying to connect + # Make sure treq is trying to connect clients = self.reactor.tcpClients self.assertEqual(len(clients), 1) (host, port, factory, _timeout, _bindAddress) = clients[0]