Merge commit from fork

* Support configuring allow/deny networks * Make the DNS cache aware of the allow/deny networks * Allow all networks in CI * Update GMSL * Add missed file --------- Co-authored-by: Till Faelligen <2353100+S7evinK@users.noreply.github.com>
2025-09-13 12:52:24 +03:00 · 2025-01-16 11:35:50 -07:00 · 2025-01-16 11:35:50 -07:00 · e9cc37ac52
commit e9cc37ac52
parent 4fb83354ca
9 changed files with 50 additions and 3 deletions
--- a/setup/config/config_federationapi.go
+++ b/setup/config/config_federationapi.go
@ -46,6 +46,10 @@ type FederationAPI struct {

 	// Should we prefer direct key fetches over perspective ones?
 	PreferDirectFetch bool `yaml:"prefer_direct_fetch"`
+
+	// Deny/Allow lists used for restricting request scopes.
+	DenyNetworkCIDRs  []string `yaml:"deny_networks"`
+	AllowNetworkCIDRs []string `yaml:"allow_networks"`
 }

 func (c *FederationAPI) Defaults(opts DefaultOpts) {
@ -53,6 +57,20 @@ func (c *FederationAPI) Defaults(opts DefaultOpts) {
 	c.P2PFederationRetriesUntilAssumedOffline = 1
 	c.DisableTLSValidation = false
 	c.DisableHTTPKeepalives = false
+	c.DenyNetworkCIDRs = []string{
+		"127.0.0.1/8",
+		"10.0.0.0/8",
+		"172.16.0.0/12",
+		"192.168.0.0/16",
+		"100.64.0.0/10",
+		"169.254.0.0/16",
+		"::1/128",
+		"fe80::/64",
+		"fc00::/7",
+	}
+	c.AllowNetworkCIDRs = []string{
+		"0.0.0.0/0",
+	}
 	if opts.Generate {
 		c.KeyPerspectives = KeyPerspectives{
 			{