From 56d00e427d5f0bafbc91d26f55f8ba3a8ad7cef2 Mon Sep 17 00:00:00 2001 From: Holger Weiss Date: Thu, 21 May 2020 21:46:02 +0200 Subject: [PATCH] ejabberd_stun: Add 'turn_blacklist' option The new 'turn_blacklist' listener option allows for specifying one or more IP addresses and/or subnet addresses/masks. The TURN server will refuse to relay traffic from/to blacklisted IP addresses. By default, Teredo and 6to4 addresses are blacklisted, as mandated by RFC 6156 (section 9.1). --- mix.exs | 2 +- rebar.config | 2 +- src/ejabberd_stun.erl | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/mix.exs b/mix.exs index c578b24c4..38a4045ec 100644 --- a/mix.exs +++ b/mix.exs @@ -90,7 +90,7 @@ defmodule Ejabberd.Mixfile do {:stringprep, "~> 1.0"}, {:fast_yaml, "~> 1.0"}, {:fast_tls, "~> 1.1"}, - {:stun, git: "https://github.com/processone/stun", ref: "481f4dbb8b5793659aedf44048d7c5fde968bfbb", override: true}, + {:stun, git: "https://github.com/processone/stun", ref: "a96f588c8ded48cd15e99911cf7b22ca67b532db", override: true}, {:esip, "~> 1.0.32"}, {:p1_mysql, "~> 1.0"}, {:mqtree, "~> 1.0"}, diff --git a/rebar.config b/rebar.config index 75ea5a7d7..ae7659bf0 100644 --- a/rebar.config +++ b/rebar.config @@ -36,7 +36,7 @@ {mqtree, ".*", {git, "https://github.com/processone/mqtree", {tag, "1.0.7"}}}, {p1_acme, ".*", {git, "https://github.com/processone/p1_acme.git", {tag, "1.0.5"}}}, {base64url, ".*", {git, "https://github.com/dvv/base64url.git", {tag, "v1.0"}}}, - {if_var_true, stun, {stun, ".*", {git, "https://github.com/processone/stun", "481f4dbb8b5793659aedf44048d7c5fde968bfbb"}}}, + {if_var_true, stun, {stun, ".*", {git, "https://github.com/processone/stun", "a96f588c8ded48cd15e99911cf7b22ca67b532db"}}}, {if_var_true, sip, {esip, ".*", {git, "https://github.com/processone/esip", {tag, "1.0.33"}}}}, {if_var_true, mysql, {p1_mysql, ".*", {git, "https://github.com/processone/p1_mysql", {tag, "1.0.15"}}}}, diff --git a/src/ejabberd_stun.erl b/src/ejabberd_stun.erl index 46e7675c9..6be3434e7 100644 --- a/src/ejabberd_stun.erl +++ b/src/ejabberd_stun.erl @@ -177,6 +177,8 @@ listen_opt_type(turn_max_allocations) -> econf:pos_int(infinity); listen_opt_type(turn_max_permissions) -> econf:pos_int(infinity); +listen_opt_type(turn_blacklist) -> + econf:list_or_single(econf:ip_mask()); listen_opt_type(server_name) -> econf:binary(); listen_opt_type(certfile) -> @@ -195,5 +197,6 @@ listen_options() -> {turn_max_port, 65535}, {turn_max_allocations, 10}, {turn_max_permissions, 10}, + {turn_blacklist, [<<"2001::/32">>, <<"2002::/16">>]}, % Teredo, 6to4. {server_name, <<"ejabberd">>}]. -endif.