changeset 6476:4a1c17a5745f

mod_s2s_v6mesh: Fixes for peer authentication
author Matthew Wild <mwild1@gmail.com>
date Tue, 17 Mar 2026 23:08:08 +0000
parents d5b9da8c94ae
children 88852e4f81bf
files mod_s2s_v6mesh/mod_s2s_v6mesh.lua
diffstat 1 files changed, 5 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mod_s2s_v6mesh/mod_s2s_v6mesh.lua	Tue Mar 17 20:18:32 2026 +0100
+++ b/mod_s2s_v6mesh/mod_s2s_v6mesh.lua	Tue Mar 17 23:08:08 2026 +0000
@@ -12,7 +12,7 @@
 local function is_secure_range(remote_ip)
 	for range in secure_ranges do
 		if ip.match(remote_ip, parse_cidr(range)) then
-			return true;
+			return true, range;
 		end
 	end
 	return false;
@@ -33,7 +33,7 @@
 	local raw = base32.decode(dom);
 	if not raw then return nil; end
 
-	return (net.ntop(raw):gsub("=+$", ""));
+	return net.ntop(raw), raw;
 end
 
 module:hook("s2sout-pre-connect", function(event)
@@ -66,8 +66,9 @@
 
 	local remote_ip = ip.new_ip(event.origin.ip);
 
-	if lookup(dom) ~= remote_ip.packed then
+	if select(2, lookup(dom)) ~= remote_ip.packed then
 		module:log("warn", "Rejecting incoming connection from %s: unexpected IP %s", host, remote_ip);
+		event.origin:close({ condition = "not-authorized", text = "Hostname does not match IP address" });
 		return;
 	end
 
@@ -87,7 +88,7 @@
 
 	local remote_ip = ip.new_ip(session.ip);
 
-	if lookup(dom) ~= remote_ip.packed then
+	if select(2, lookup(dom)) ~= remote_ip.packed then
 		module:log("warn", "Unable to authenticate incoming connection from %s: unexpected IP %s", host, remote_ip);
 		return;
 	end