Merge commit from fork

* Support configuring allow/deny networks

* Make the DNS cache aware of the allow/deny networks

* Allow all networks in CI

* Update GMSL

* Add missed file

---------

Co-authored-by: Till Faelligen <2353100+S7evinK@users.noreply.github.com>

cmd/dendrite/main.go

@@ -94,6 +94,8 @@ func main() {
 		dnsCache = fclient.NewDNSCache(
 			cfg.Global.DNSCache.CacheSize,
 			cfg.Global.DNSCache.CacheLifetime,
+			cfg.FederationAPI.AllowNetworkCIDRs,
+			cfg.FederationAPI.DenyNetworkCIDRs,
 		)
 		logrus.Infof(
 			"DNS cache enabled (size %d, lifetime %s)",

cmd/generate-config/main.go

@@ -71,6 +71,10 @@ func main() {
 			cfg.ClientAPI.RateLimiting.Enabled = false
 			cfg.FederationAPI.DisableTLSValidation = false
 			cfg.FederationAPI.DisableHTTPKeepalives = true
+			// Allow allow networks when running in CI, as otherwise connections
+			// to other servers might be blocked when running Complement/Sytest.
+			cfg.FederationAPI.DenyNetworkCIDRs = []string{}
+			cfg.FederationAPI.AllowNetworkCIDRs = []string{}
 			// don't hit matrix.org when running tests!!!
 			cfg.FederationAPI.KeyPerspectives = config.KeyPerspectives{}
 			cfg.MediaAPI.BasePath = config.Path(filepath.Join(*dirPath, "media"))

contrib/dendrite-demo-i2p/main.go

@@ -70,6 +70,8 @@ func main() {
 		dnsCache = fclient.NewDNSCache(
 			cfg.Global.DNSCache.CacheSize,
 			cfg.Global.DNSCache.CacheLifetime,
+			cfg.FederationAPI.AllowNetworkCIDRs,
+			cfg.FederationAPI.DenyNetworkCIDRs,
 		)
 		logrus.Infof(
 			"DNS cache enabled (size %d, lifetime %s)",

contrib/dendrite-demo-tor/main.go

@@ -65,6 +65,8 @@ func main() {
 		dnsCache = fclient.NewDNSCache(
 			cfg.Global.DNSCache.CacheSize,
 			cfg.Global.DNSCache.CacheLifetime,
+			cfg.FederationAPI.AllowNetworkCIDRs,
+			cfg.FederationAPI.DenyNetworkCIDRs,
 		)
 		logrus.Infof(
 			"DNS cache enabled (size %d, lifetime %s)",

dendrite-sample.yaml

@@ -254,6 +254,24 @@ federation_api:
   # last resort.
   prefer_direct_fetch: false
 
+  # deny_networks and allow_networks are the CIDR ranges used to prevent requests
+  # from accessing private IPs. If your system has specific IPs it should never
+  # contact, add them here with CIDR notation.
+  #
+  # The deny list is checked before the allow list.
+  deny_networks:
+    - "127.0.0.1/8"
+    - "10.0.0.0/8"
+    - "172.16.0.0/12"
+    - "192.168.0.0/16"
+    - "100.64.0.0/10"
+    - "169.254.0.0/16"
+    - "::1/128"
+    - "fe80::/64"
+    - "fc00::/7"
+  allow_networks:
+    - "0.0.0.0/0" # "Everything". The deny list will help limit this.
+
 # Configuration for the Media API.
 media_api:
   # Storage path for uploaded media. May be relative or absolute.

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/matrix-org/dugong v0.0.0-20210921133753-66e6b1c67e2e
 	github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91
 	github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530
-	github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8
+	github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d
 	github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7
 	github.com/matrix-org/util v0.0.0-20221111132719-399730281e66
 	github.com/mattn/go-sqlite3 v1.14.24

go.sum

@@ -232,8 +232,8 @@ github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91 h1:s7fexw
 github.com/matrix-org/go-sqlite3-js v0.0.0-20220419092513-28aa791a1c91/go.mod h1:e+cg2q7C7yE5QnAXgzo512tgFh1RbQLC0+jozuegKgo=
 github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530 h1:kHKxCOLcHH8r4Fzarl4+Y3K5hjothkVW5z7T1dUM11U=
 github.com/matrix-org/gomatrix v0.0.0-20220926102614-ceba4d9f7530/go.mod h1:/gBX06Kw0exX1HrwmoBibFA98yBk/jxKpGVeyQbff+s=
-github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8 h1:nC998SaawQwbZ16/V70Pil3pY3rSQwTaeLOpHWp7ZTo=
+github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d h1:c3Dkci0GDH/6cGGt8zGIiJMP+UOdtX0DPY6dxiJvtZM=
-github.com/matrix-org/gomatrixserverlib v0.0.0-20241215094829-e86ab16eabe8/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os=
+github.com/matrix-org/gomatrixserverlib v0.0.0-20250116181547-c4f1e01eab0d/go.mod h1:qil34SWn6VB6gO5312rzziCUcZtgROPjrLE+4ly/0os=
 github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7 h1:6t8kJr8i1/1I5nNttw6nn1ryQJgzVlBmSGgPiiaTdw4=
 github.com/matrix-org/pinecone v0.11.1-0.20230810010612-ea4c33717fd7/go.mod h1:ReWMS/LoVnOiRAdq9sNUC2NZnd1mZkMNB52QhpTRWjg=
 github.com/matrix-org/util v0.0.0-20221111132719-399730281e66 h1:6z4KxomXSIGWqhHcfzExgkH3Z3UkIXry4ibJS4Aqz2Y=

setup/base/base.go

@@ -82,6 +82,7 @@ func CreateFederationClient(cfg *config.Dendrite, dnsCache *fclient.DNSCache) fc
 		fclient.WithSkipVerify(cfg.FederationAPI.DisableTLSValidation),
 		fclient.WithKeepAlives(!cfg.FederationAPI.DisableHTTPKeepalives),
 		fclient.WithUserAgent(fmt.Sprintf("Dendrite/%s", internal.VersionString())),
+		fclient.WithAllowDenyNetworks(cfg.FederationAPI.AllowNetworkCIDRs, cfg.FederationAPI.DenyNetworkCIDRs),
 	}
 	if cfg.Global.DNSCache.Enabled {
 		opts = append(opts, fclient.WithDNSCache(dnsCache))

setup/config/config_federationapi.go

@@ -46,6 +46,10 @@ type FederationAPI struct {
 
 	// Should we prefer direct key fetches over perspective ones?
 	PreferDirectFetch bool `yaml:"prefer_direct_fetch"`
+
+	// Deny/Allow lists used for restricting request scopes.
+	DenyNetworkCIDRs  []string `yaml:"deny_networks"`
+	AllowNetworkCIDRs []string `yaml:"allow_networks"`
 }
 
 func (c *FederationAPI) Defaults(opts DefaultOpts) {
@@ -53,6 +57,20 @@ func (c *FederationAPI) Defaults(opts DefaultOpts) {
 	c.P2PFederationRetriesUntilAssumedOffline = 1
 	c.DisableTLSValidation = false
 	c.DisableHTTPKeepalives = false
+	c.DenyNetworkCIDRs = []string{
+		"127.0.0.1/8",
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+		"100.64.0.0/10",
+		"169.254.0.0/16",
+		"::1/128",
+		"fe80::/64",
+		"fc00::/7",
+	}
+	c.AllowNetworkCIDRs = []string{
+		"0.0.0.0/0",
+	}
 	if opts.Generate {
 		c.KeyPerspectives = KeyPerspectives{
 			{