add support for binding to a specific interface for url previews

This is helpful to, for example, bind to an interface that can only access the public internet. The resulting setup is less maintenance-heavy / error-prone than manually maintaining a deny/ allowlist to protect internal resources. Signed-off-by: Jade Ellis <jade@ellis.link>
2024-12-07 23:27:56 +00:00 · 2024-12-07 23:27:56 +00:00 · 52cee65748
commit 52cee65748
parent fe1ce521aa
3 changed files with 41 additions and 4 deletions
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@ -1250,6 +1250,16 @@ pub struct Config {
 	#[serde(default = "default_ip_range_denylist")]
 	pub ip_range_denylist: Vec<String>,

+	/// Optional interface to bind to with SO_BINDTODEVICE for URL previews.
+	/// If not set, it will not bind to a specific interface.
+	/// This uses [`reqwest::ClientBuilder::interface`] under the hood.
+	///
+	/// To list the interfaces on your system, use the command `ip link show`
+	///
+	/// Example: `"eth0"`
+	#[cfg(any(target_os = "android", target_os = "fuchsia", target_os = "linux"))]
+	pub url_preview_bound_interface: Option<String>,
+
 	/// Vector list of domains allowed to send requests to for URL previews.
 	/// Defaults to none. Note: this is a *contains* match, not an explicit
 	/// match. Putting "google.com" will match "https://google.com" and
@ -1960,6 +1970,15 @@ impl fmt::Display for Config {
 		line("Forbidden room aliases", {
 			&self.forbidden_alias_names.patterns().iter().join(", ")
 		});
+		#[cfg(any(target_os = "android", target_os = "fuchsia", target_os = "linux"))]
+		line(
+			"URL preview bound interface",
+			if let Some(interface) = &self.url_preview_bound_interface {
+				interface
+			} else {
+				"not set"
+			},
+		);
 		line(
 			"URL preview domain contains allowlist",
 			&self.url_preview_domain_contains_allowlist.join(", "),