|
c.AllowNetworkCIDRs = []string{ |
|
"0.0.0.0/0", |
|
} |
Since the default federation_api.allow_networks ACLs do not include ::/0, IPv6 addresses always get denied in the outbound ACL checks. I suspect this is just a simple mistake, if this was deliberate I would expect to see a comment in there or something explaining the rationale.
We noticed this after moving our Dendrite server to an IPv6 only machine (with NAT64). The symptoms included "failed to fetch keys for some servers" warning logs, which only under debug log level would show a more useful cause: msg="Outgoing request failed" error="Post \"matrix://delroth.net/_matrix/key/v2/query\": dial tcp [2a01:4f8:13b:f15::1]:8448: [2a01:4f8:13b:f15::1]:8448 is denied" .
We tested that adding ::/0 to the allow_networks via configuration solved the issue, so adding it to the defaults should work to fix this.
dendrite/setup/config/config_federationapi.go
Lines 71 to 73 in e9cc37a
Since the default federation_api.allow_networks ACLs do not include ::/0, IPv6 addresses always get denied in the outbound ACL checks. I suspect this is just a simple mistake, if this was deliberate I would expect to see a comment in there or something explaining the rationale.
We noticed this after moving our Dendrite server to an IPv6 only machine (with NAT64). The symptoms included "failed to fetch keys for some servers" warning logs, which only under debug log level would show a more useful cause:
msg="Outgoing request failed" error="Post \"matrix://delroth.net/_matrix/key/v2/query\": dial tcp [2a01:4f8:13b:f15::1]:8448: [2a01:4f8:13b:f15::1]:8448 is denied".We tested that adding ::/0 to the allow_networks via configuration solved the issue, so adding it to the defaults should work to fix this.