1 files changed, 22 insertions, 20 deletions

diff --git a/Jellyfin.Server/Middleware/IpBasedAccessValidationMiddleware.cs b/Jellyfin.Server/Middleware/IpBasedAccessValidationMiddleware.cs
index 4bda8f273..6f636819f 100644
--- a/Jellyfin.Server/Middleware/IpBasedAccessValidationMiddleware.cs
+++ b/Jellyfin.Server/Middleware/IpBasedAccessValidationMiddleware.cs
@@ -1,9 +1,11 @@
-using System.Linq;
+using System.Net;
 using System.Threading.Tasks;
+using Jellyfin.Networking.Configuration;
 using MediaBrowser.Common.Extensions;
 using MediaBrowser.Common.Net;
 using MediaBrowser.Controller.Configuration;
 using Microsoft.AspNetCore.Http;
+using NetworkCollection;
 
 namespace Jellyfin.Server.Middleware
 {
@@ -34,40 +36,40 @@ namespace Jellyfin.Server.Middleware
         {
             if (httpContext.IsLocal())
             {
+                // Running locally.
                 await _next(httpContext).ConfigureAwait(false);
                 return;
             }
 
-            var remoteIp = httpContext.GetNormalizedRemoteIp();
+            var remoteIp = httpContext.Connection.RemoteIpAddress ?? IPAddress.Loopback;
 
-            if (serverConfigurationManager.Configuration.EnableRemoteAccess)
+            if (serverConfigurationManager.GetNetworkConfiguration().EnableRemoteAccess)
             {
-                var addressFilter = serverConfigurationManager.Configuration.RemoteIPFilter.Where(i => !string.IsNullOrWhiteSpace(i)).ToArray();
+                // Comma separated list of IP addresses or IP/netmask entries for networks that will be allowed to connect remotely.
+                // If left blank, all remote addresses will be allowed.
+                NetCollection remoteAddressFilter = networkManager.RemoteAddressFilter;
 
-                if (addressFilter.Length > 0 && !networkManager.IsInLocalNetwork(remoteIp))
+                if (remoteAddressFilter.Count > 0 && !networkManager.IsInLocalNetwork(remoteIp))
                 {
-                    if (serverConfigurationManager.Configuration.IsRemoteIPFilterBlacklist)
+                    // remoteAddressFilter is a whitelist or blacklist.
+                    bool isListed = remoteAddressFilter.Contains(remoteIp);
+                    if (!serverConfigurationManager.GetNetworkConfiguration().IsRemoteIPFilterBlacklist)
                     {
-                        if (networkManager.IsAddressInSubnets(remoteIp, addressFilter))
-                        {
-                            return;
-                        }
+                        // Black list, so flip over.
+                        isListed = !isListed;
                     }
-                    else
+
+                    if (!isListed)
                     {
-                        if (!networkManager.IsAddressInSubnets(remoteIp, addressFilter))
-                        {
-                            return;
-                        }
+                        // If your name isn't on the list, you arn't coming in.
+                        return;
                     }
                 }
             }
-            else
+            else if (!networkManager.IsInLocalNetwork(remoteIp))
             {
-                if (!networkManager.IsInLocalNetwork(remoteIp))
-                {
-                    return;
-                }
+                // Remote not enabled. So everyone should be LAN.
+                return;
             }
 
             await _next(httpContext).ConfigureAwait(false);