From d0d833d1a00960c15e0392f85ad6a31838ddace1 Mon Sep 17 00:00:00 2001
From: mikure <65556178+mikure@users.noreply.github.com>
Date: Thu, 3 Jun 2021 06:42:49 +0200
Subject: [PATCH 1/7] Create 9569.bugfix

---
 changelog.d/9569.bugfix | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 changelog.d/9569.bugfix

diff --git a/changelog.d/9569.bugfix b/changelog.d/9569.bugfix
new file mode 100644
index 000000000000..0b3d6db533c8
--- /dev/null
+++ b/changelog.d/9569.bugfix
@@ -0,0 +1,2 @@
+Fix a bug that prevented the ip_range_whitelist to work for federation and identity servers.
+Notice that this change will not be applied, if your configuration still uses federation_ip_range_blacklist, due to backwards-compatibility reasons.

From 21b7e77b150037036fd9a3afe99ab533e0f44e3c Mon Sep 17 00:00:00 2001
From: Michael Kutzner <65556178+mikure@users.noreply.github.com>
Date: Thu, 3 Jun 2021 09:01:37 +0200
Subject: [PATCH 2/7] Fix 'ip_range_whitelist' not working for federation
 servers

Add 'federation_ip_range_whitelist'. This allows backwards-compatibility, If 'federation_ip_range_blacklist' is set. Otherwise 'ip_range_whitelist' will be used for federation servers.
---
 changelog.d/10115.bugfix               | 2 ++
 synapse/config/server.py               | 5 +++++
 synapse/http/matrixfederationclient.py | 4 +++-
 3 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 changelog.d/10115.bugfix

diff --git a/changelog.d/10115.bugfix b/changelog.d/10115.bugfix
new file mode 100644
index 000000000000..2b795ba0fc1f
--- /dev/null
+++ b/changelog.d/10115.bugfix
@@ -0,0 +1,2 @@
+Fix a bug that prevented the 'ip_range_whitelist' configuration to work for federation and identity servers.
+Notice that this change will not be applied, if your configuration still uses 'federation_ip_range_blacklist', to allow backwards-compatibility.
diff --git a/synapse/config/server.py b/synapse/config/server.py
index c290a35a9285..dc801939b508 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -410,6 +410,11 @@ def read_config(self, config, **kwargs):
             ["0.0.0.0", "::"],
             config_path=("federation_ip_range_blacklist",),
         )
+        # The federation_ip_range_whitelist is used to provide
+        # backwards-compatibility, if federation_ip_range_blacklist is set.
+        self.federation_ip_range_whitelist = None
+        if "federation_ip_range_blacklist" not in config:
+            self.federation_ip_range_whitelist = self.ip_range_whitelist
 
         # (undocumented) option for torturing the worker-mode replication a bit,
         # for testing. The value defines the number of milliseconds to pause before
diff --git a/synapse/http/matrixfederationclient.py b/synapse/http/matrixfederationclient.py
index 1998990a144e..da13369d6ac6 100644
--- a/synapse/http/matrixfederationclient.py
+++ b/synapse/http/matrixfederationclient.py
@@ -322,7 +322,9 @@ def __init__(self, hs, tls_client_options_factory):
         # We need to use a DNS resolver which filters out blacklisted IP
         # addresses, to prevent DNS rebinding.
         self.reactor = BlacklistingReactorWrapper(
-            hs.get_reactor(), None, hs.config.federation_ip_range_blacklist
+            hs.get_reactor(),
+            hs.config.federation_ip_range_whitelist,
+            hs.config.federation_ip_range_blacklist,
         )  # type: ISynapseReactor
 
         user_agent = hs.version_string

From 86010c43b84d63e5ab43b382507358e419a8b4b3 Mon Sep 17 00:00:00 2001
From: Michael Kutzner <65556178+mikure@users.noreply.github.com>
Date: Thu, 3 Jun 2021 09:25:27 +0200
Subject: [PATCH 3/7] Remove incorrect named changelog file

---
 changelog.d/9569.bugfix | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 changelog.d/9569.bugfix

diff --git a/changelog.d/9569.bugfix b/changelog.d/9569.bugfix
deleted file mode 100644
index 0b3d6db533c8..000000000000
--- a/changelog.d/9569.bugfix
+++ /dev/null
@@ -1,2 +0,0 @@
-Fix a bug that prevented the ip_range_whitelist to work for federation and identity servers.
-Notice that this change will not be applied, if your configuration still uses federation_ip_range_blacklist, due to backwards-compatibility reasons.

From 1dc53bfa9b52f2119eb70f3be31cee11eac1398b Mon Sep 17 00:00:00 2001
From: Michael Kutzner <65556178+mikure@users.noreply.github.com>
Date: Thu, 10 Jun 2021 05:31:56 +0200
Subject: [PATCH 4/7] Update changelog.d/10115.bugfix

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
---
 changelog.d/10115.bugfix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/changelog.d/10115.bugfix b/changelog.d/10115.bugfix
index 2b795ba0fc1f..8784e49e3349 100644
--- a/changelog.d/10115.bugfix
+++ b/changelog.d/10115.bugfix
@@ -1,2 +1,2 @@
-Fix a bug that prevented the 'ip_range_whitelist' configuration to work for federation and identity servers.
+Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure.
 Notice that this change will not be applied, if your configuration still uses 'federation_ip_range_blacklist', to allow backwards-compatibility.

From c8212034de92b469e031869cb976fb6ae93000be Mon Sep 17 00:00:00 2001
From: Michael Kutzner <65556178+mikure@users.noreply.github.com>
Date: Thu, 10 Jun 2021 06:04:51 +0200
Subject: [PATCH 5/7] Update changelog.d/10115.bugfix

Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
---
 changelog.d/10115.bugfix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/changelog.d/10115.bugfix b/changelog.d/10115.bugfix
index 8784e49e3349..e16f356e6819 100644
--- a/changelog.d/10115.bugfix
+++ b/changelog.d/10115.bugfix
@@ -1,2 +1 @@
 Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure.
-Notice that this change will not be applied, if your configuration still uses 'federation_ip_range_blacklist', to allow backwards-compatibility.

From fc202ea1df2c1454b9e6799ca61826b7226b6aa3 Mon Sep 17 00:00:00 2001
From: Michael Kutzner <65556178+mikure@users.noreply.github.com>
Date: Thu, 10 Jun 2021 07:08:02 +0200
Subject: [PATCH 6/7] Add explanation about backwards-compatibiliy check

---
 synapse/config/server.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/synapse/config/server.py b/synapse/config/server.py
index dc801939b508..c2bfe53aac4c 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -410,8 +410,10 @@ def read_config(self, config, **kwargs):
             ["0.0.0.0", "::"],
             config_path=("federation_ip_range_blacklist",),
         )
-        # The federation_ip_range_whitelist is used to provide
-        # backwards-compatibility, if federation_ip_range_blacklist is set.
+        # The federation_ip_range_whitelist is used for backwards-compatibility
+        # and will always be None, as it was never set in any configuration files.
+        # If no backwards-compatibility is required, i.e. the configuration file
+        # doesn't set federation_ip_range_blacklist, use ip_range_whitelist instead.
         self.federation_ip_range_whitelist = None
         if "federation_ip_range_blacklist" not in config:
             self.federation_ip_range_whitelist = self.ip_range_whitelist

From 604a7ed284eaa083e5d7f76dcd9804c7fdfb5794 Mon Sep 17 00:00:00 2001
From: Michael Kutzner <65556178+mikure@users.noreply.github.com>
Date: Sun, 13 Jun 2021 11:23:53 +0200
Subject: [PATCH 7/7] Restructure code for readability

---
 synapse/config/server.py | 32 ++++++++++++++------------------
 1 file changed, 14 insertions(+), 18 deletions(-)

diff --git a/synapse/config/server.py b/synapse/config/server.py
index c2bfe53aac4c..0833a5f7bcab 100644
--- a/synapse/config/server.py
+++ b/synapse/config/server.py
@@ -397,25 +397,21 @@ def read_config(self, config, **kwargs):
         self.ip_range_whitelist = generate_ip_set(
             config.get("ip_range_whitelist", ()), config_path=("ip_range_whitelist",)
         )
-
         # The federation_ip_range_blacklist is used for backwards-compatibility
-        # and only applies to federation and identity servers. If it is not given,
-        # default to ip_range_blacklist.
-        federation_ip_range_blacklist = config.get(
-            "federation_ip_range_blacklist", ip_range_blacklist
-        )
-        # Always blacklist 0.0.0.0, ::
-        self.federation_ip_range_blacklist = generate_ip_set(
-            federation_ip_range_blacklist,
-            ["0.0.0.0", "::"],
-            config_path=("federation_ip_range_blacklist",),
-        )
-        # The federation_ip_range_whitelist is used for backwards-compatibility
-        # and will always be None, as it was never set in any configuration files.
-        # If no backwards-compatibility is required, i.e. the configuration file
-        # doesn't set federation_ip_range_blacklist, use ip_range_whitelist instead.
-        self.federation_ip_range_whitelist = None
-        if "federation_ip_range_blacklist" not in config:
+        # and only applies to federation and identity servers.
+        if "federation_ip_range_blacklist" in config:
+            # Always blacklist 0.0.0.0, ::
+            self.federation_ip_range_blacklist = generate_ip_set(
+                config["federation_ip_range_blacklist"],
+                ["0.0.0.0", "::"],
+                config_path=("federation_ip_range_blacklist",),
+            )
+            # 'federation_ip_range_whitelist' was never a supported configuration option.
+            self.federation_ip_range_whitelist = None
+        else:
+            # No backwards-compatiblity requrired, as federation_ip_range_blacklist
+            # is not given. Default to ip_range_blacklist and ip_range_whitelist.
+            self.federation_ip_range_blacklist = self.ip_range_blacklist
             self.federation_ip_range_whitelist = self.ip_range_whitelist
 
         # (undocumented) option for torturing the worker-mode replication a bit,