# HG changeset patch # User Matthew Wild # Date 1773788888 0 # Node ID 4a1c17a5745fa49233b299c17015ea29eeee7f1a # Parent d5b9da8c94aeb47b8afe0447cc31470acd37372c mod_s2s_v6mesh: Fixes for peer authentication diff -r d5b9da8c94ae -r 4a1c17a5745f mod_s2s_v6mesh/mod_s2s_v6mesh.lua --- a/mod_s2s_v6mesh/mod_s2s_v6mesh.lua Tue Mar 17 20:18:32 2026 +0100 +++ b/mod_s2s_v6mesh/mod_s2s_v6mesh.lua Tue Mar 17 23:08:08 2026 +0000 @@ -12,7 +12,7 @@ local function is_secure_range(remote_ip) for range in secure_ranges do if ip.match(remote_ip, parse_cidr(range)) then - return true; + return true, range; end end return false; @@ -33,7 +33,7 @@ local raw = base32.decode(dom); if not raw then return nil; end - return (net.ntop(raw):gsub("=+$", "")); + return net.ntop(raw), raw; end module:hook("s2sout-pre-connect", function(event) @@ -66,8 +66,9 @@ local remote_ip = ip.new_ip(event.origin.ip); - if lookup(dom) ~= remote_ip.packed then + if select(2, lookup(dom)) ~= remote_ip.packed then module:log("warn", "Rejecting incoming connection from %s: unexpected IP %s", host, remote_ip); + event.origin:close({ condition = "not-authorized", text = "Hostname does not match IP address" }); return; end @@ -87,7 +88,7 @@ local remote_ip = ip.new_ip(session.ip); - if lookup(dom) ~= remote_ip.packed then + if select(2, lookup(dom)) ~= remote_ip.packed then module:log("warn", "Unable to authenticate incoming connection from %s: unexpected IP %s", host, remote_ip); return; end