From ccdf1d4975842da4d26aa71dfa1822a426644291 Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Sun, 2 Mar 2025 13:38:06 +0000 Subject: [PATCH] Revert "Scope the container SSL enforcement a bit better". This reverts commit 9c151650212e2101002f04bca902ca18982697c0. --- src/modules/m_spanningtree/server.cpp | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/src/modules/m_spanningtree/server.cpp b/src/modules/m_spanningtree/server.cpp index 212b2f7c3..1e358e3ae 100644 --- a/src/modules/m_spanningtree/server.cpp +++ b/src/modules/m_spanningtree/server.cpp @@ -37,16 +37,15 @@ namespace { - bool IsContainerAddress(const irc::sockets::sockaddrs& sa) + bool RunningInContainer() { std::error_code ec; if (std::filesystem::is_regular_file("/.dockerenv", ec)) { - // We are running in docker, check for internal addresses. - if (irc::sockets::cidr_mask("172.17.0.0/16").match(sa)) - return true; // docker0 - if (irc::sockets::cidr_mask("172.18.0.0/16").match(sa)) - return true; // docker_gwbridge. + // We are running inside of Docker so all IP addresses are + // non-local and as far as I can see there isn't a way to + // reliably detect the Docker network. + return true; } return false; } @@ -158,7 +157,7 @@ std::shared_ptr TreeSocket::AuthRemote(const CommandBase::Params& params) ssliohook->GetCiphersuite(ciphersuite); ServerInstance->SNO.WriteToSnoMask('l', "Negotiated ciphersuite {} on link {}", ciphersuite, x->Name); } - else if (!capab->remotesa.is_local() && !IsContainerAddress(capab->remotesa)) + else if (!capab->remotesa.is_local() && !RunningInContainer()) { this->SendError("Non-local server connections MUST be linked with SSL!"); return nullptr;