# HG changeset patch # User Kim Alvefur # Date 1364422187 -3600 # Node ID b3c8757ee4f40f3d51126f5a31f31eeb1d1903d1 # Parent d147a4227a7285f61fec73004c9e53746c5dbb35 mod_s2s: Prevent s2s to and from hosts we serve locally diff -r d147a4227a72 -r b3c8757ee4f4 plugins/mod_s2s/mod_s2s.lua --- a/plugins/mod_s2s/mod_s2s.lua Tue Mar 26 09:25:20 2013 +0100 +++ b/plugins/mod_s2s/mod_s2s.lua Wed Mar 27 23:09:47 2013 +0100 @@ -80,6 +80,10 @@ log("warn", "Attempt to send stanza from %s - a host we don't serve", from_host); return false; end + if hosts[to_host] then + log("warn", "Attempt to route stanza to a remote %s - a host we do serve?!", from_host); + return false; + end local host = hosts[from_host].s2sout[to_host]; if host then -- We have a connection to this host already @@ -188,6 +192,9 @@ }); end end + if hosts[host] then + session:close({ condition = "undefined-condition", text = "Attempt to authenticate as a host we serve" }); + end if session.type == "s2sout_unauthed" then session.type = "s2sout"; elseif session.type == "s2sin_unauthed" then @@ -321,6 +328,11 @@ end end + if hosts[from] then + session:close({ condition = "undefined-condition", text = "Attempt to connect from a host we serve" }); + return; + end + if session.secure and not session.cert_chain_status then if check_cert_status(session) == false then return;