From 9c151650212e2101002f04bca902ca18982697c0 Mon Sep 17 00:00:00 2001
From: Sadie Powell <sadie@witchery.services>
Date: Sun, 2 Mar 2025 13:06:35 +0000
Subject: [PATCH] Scope the container SSL enforcement a bit better.

---
 src/modules/m_spanningtree/server.cpp | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/modules/m_spanningtree/server.cpp b/src/modules/m_spanningtree/server.cpp
index a2c6163f9..212b2f7c3 100644
--- a/src/modules/m_spanningtree/server.cpp
+++ b/src/modules/m_spanningtree/server.cpp
@@ -37,10 +37,18 @@
 
 namespace
 {
-	bool RunningInContainer()
+	bool IsContainerAddress(const irc::sockets::sockaddrs& sa)
 	{
 		std::error_code ec;
-		return std::filesystem::is_regular_file("/.dockerenv", ec);
+		if (std::filesystem::is_regular_file("/.dockerenv", ec))
+		{
+			// We are running in docker, check for internal addresses.
+			if (irc::sockets::cidr_mask("172.17.0.0/16").match(sa))
+				return true; // docker0
+			if (irc::sockets::cidr_mask("172.18.0.0/16").match(sa))
+				return true; // docker_gwbridge.
+		}
+		return false;
 	}
 }
 
@@ -150,7 +158,7 @@ std::shared_ptr<Link> TreeSocket::AuthRemote(const CommandBase::Params& params)
 			ssliohook->GetCiphersuite(ciphersuite);
 			ServerInstance->SNO.WriteToSnoMask('l', "Negotiated ciphersuite {} on link {}", ciphersuite, x->Name);
 		}
-		else if (!capab->remotesa.is_local() && !RunningInContainer())
+		else if (!capab->remotesa.is_local() && !IsContainerAddress(capab->remotesa))
 		{
 			this->SendError("Non-local server connections MUST be linked with SSL!");
 			return nullptr;