nanocurrency · RickiNano · Jan 29, 2024 · Jan 30, 2024 · Jan 30, 2024 · Jan 30, 2024
diff --git a/nano/core_test/toml.cpp b/nano/core_test/toml.cpp
@@ -180,6 +180,7 @@ TEST (toml, daemon_config_deserialize_defaults)
 	ASSERT_EQ (conf.node.peering_port, defaults.node.peering_port);
 	ASSERT_EQ (conf.node.pow_sleep_interval, defaults.node.pow_sleep_interval);
 	ASSERT_EQ (conf.node.preconfigured_peers, defaults.node.preconfigured_peers);
+	ASSERT_EQ (conf.node.blocked_peers, defaults.node.blocked_peers);
 	ASSERT_EQ (conf.node.preconfigured_representatives, defaults.node.preconfigured_representatives);
 	ASSERT_EQ (conf.node.receive_minimum, defaults.node.receive_minimum);
 	ASSERT_EQ (conf.node.signature_checker_threads, defaults.node.signature_checker_threads);
@@ -407,6 +408,7 @@ TEST (toml, daemon_config_deserialize_no_defaults)
 	peering_port = 999
 	pow_sleep_interval= 999
 	preconfigured_peers = ["dev.org"]
+	blocked_peers = ["192.168.0.1"]
 	preconfigured_representatives = ["nano_3arg3asgtigae3xckabaaewkx3bzsh7nwz7jkmjos79ihyaxwphhm6qgjps4"]
 	receive_minimum = "999"
 	signature_checker_threads = 999
@@ -597,6 +599,7 @@ TEST (toml, daemon_config_deserialize_no_defaults)
 	ASSERT_NE (conf.node.peering_port, defaults.node.peering_port);
 	ASSERT_NE (conf.node.pow_sleep_interval, defaults.node.pow_sleep_interval);
 	ASSERT_NE (conf.node.preconfigured_peers, defaults.node.preconfigured_peers);
+	ASSERT_NE (conf.node.blocked_peers, defaults.node.blocked_peers);
 	ASSERT_NE (conf.node.preconfigured_representatives, defaults.node.preconfigured_representatives);
 	ASSERT_NE (conf.node.receive_minimum, defaults.node.receive_minimum);
 	ASSERT_NE (conf.node.signature_checker_threads, defaults.node.signature_checker_threads);

diff --git a/nano/node/network.cpp b/nano/node/network.cpp
@@ -67,6 +67,8 @@ nano::network::~network ()
 
 void nano::network::start ()
 {
+	Configure_blocked_peers ();
+
 	if (!node.flags.disable_connection_cleanup)
 	{
 		ongoing_cleanup ();
@@ -347,6 +349,39 @@ void nano::network::broadcast_confirm_req_many (std::deque<std::pair<std::shared
 	}
 }
 
+void nano::network::Configure_blocked_peers ()
+{
+	for (const std::string & ip_string : node.config.blocked_peers)
+	{
+		boost::system::error_code ec;
+		auto ip_address = boost::asio::ip::address::from_string (ip_string, ec);
+
+		if (!ec)
+		{
+			if (ip_address.is_v4 ())
+			{
+				// Convert IPv4 address to IPv4-mapped IPv6 address
+				blocked_ips.insert (boost::asio::ip::address_v6::v4_mapped (ip_address.to_v4 ()));
+			}
+			else
+			{
+				blocked_ips.insert (ip_address);
+			}
+
+			node.logger.info (nano::log::type::network, "Added blocking rule for ip {}", ip_address.to_string ());
+		}
+		else
+		{
+			node.logger.error (nano::log::type::network, "Invalid IP address: {}", ip_string);
+		}
+	}
+}
+
+bool nano::network::is_ip_blocked (const boost::asio::ip::address & ip_address) const
+{
+	return blocked_ips.find (ip_address) != blocked_ips.end ();
+}
+
 namespace
 {
 class network_message_visitor : public nano::message_visitor
@@ -468,6 +503,12 @@ class network_message_visitor : public nano::message_visitor
 
 void nano::network::process_message (nano::message const & message, std::shared_ptr<nano::transport::channel> const & channel)
 {
+	if (is_ip_blocked (channel->get_tcp_endpoint ().address ()))
+	{
+		node.logger.debug (nano::log::type::network, "Ignoring message from IP {}", channel->get_tcp_endpoint ().address ().to_string ());
+		return;
+	}
+
 	node.stats.inc (nano::stat::type::message, to_stat_detail (message.header.type), nano::stat::dir::in);
 
 	network_message_visitor visitor{ node, channel };

diff --git a/nano/node/network.hpp b/nano/node/network.hpp
@@ -100,6 +100,8 @@ class network final
 	void broadcast_confirm_req_base (std::shared_ptr<nano::block> const &, std::shared_ptr<std::vector<std::shared_ptr<nano::transport::channel>>> const &, unsigned, bool = false);
 	void broadcast_confirm_req_batched_many (std::unordered_map<std::shared_ptr<nano::transport::channel>, std::deque<std::pair<nano::block_hash, nano::root>>>, std::function<void ()> = nullptr, unsigned = broadcast_interval_ms, bool = false);
 	void broadcast_confirm_req_many (std::deque<std::pair<std::shared_ptr<nano::block>, std::shared_ptr<std::vector<std::shared_ptr<nano::transport::channel>>>>>, std::function<void ()> = nullptr, unsigned = broadcast_interval_ms);
+	void Configure_blocked_peers ();
+	bool is_ip_blocked (const boost::asio::ip::address & ip_address) const;
 	std::shared_ptr<nano::transport::channel> find_node_id (nano::account const &);
 	std::shared_ptr<nano::transport::channel> find_channel (nano::endpoint const &);
 	bool not_a_peer (nano::endpoint const &, bool);
@@ -133,6 +135,7 @@ class network final
 	bool verify_handshake_response (nano::node_id_handshake::response_payload const & response, nano::endpoint const & remote_endpoint);
 	std::optional<nano::node_id_handshake::query_payload> prepare_handshake_query (nano::endpoint const & remote_endpoint);
 	nano::node_id_handshake::response_payload prepare_handshake_response (nano::node_id_handshake::query_payload const & query, bool v2) const;
+	std::unordered_set<boost::asio::ip::address> blocked_ips;
 
 private:
 	void process_message (nano::message const &, std::shared_ptr<nano::transport::channel> const &);

diff --git a/nano/node/nodeconfig.cpp b/nano/node/nodeconfig.cpp
@@ -144,6 +144,8 @@ nano::error nano::node_config::serialize_toml (nano::tomlconfig & toml) const
 		preconfigured_peers_l->push_back (*i);
 	}
 
+	auto blocked_peers_l (toml.create_array ("blocked_peers", "A list of \"address\" (ipv4 or ipv6 notation ip address) that you want to ignore all requests from. \nExample: [\"192.168.0.1\",\"::ffff:10.0.0.1\"]"));
+
 	auto preconfigured_representatives_l (toml.create_array ("preconfigured_representatives", "A list of representative account addresses used when creating new accounts in internal wallets."));
 	for (auto i (preconfigured_representatives.begin ()), n (preconfigured_representatives.end ()); i != n; ++i)
 	{
@@ -288,6 +290,14 @@ nano::error nano::node_config::deserialize_toml (nano::tomlconfig & toml)
 			});
 		}
 
+		if (toml.has_key ("blocked_peers"))
+		{
+			blocked_peers.clear ();
+			toml.array_entries_required<std::string> ("blocked_peers", [this, &toml] (std::string entry) {
+				blocked_peers.push_back (entry);
+			});
+		}
+
 		if (toml.has_key ("preconfigured_representatives"))
 		{
 			preconfigured_representatives.clear ();

diff --git a/nano/node/nodeconfig.hpp b/nano/node/nodeconfig.hpp
@@ -54,6 +54,7 @@ class node_config
 	std::vector<std::pair<std::string, uint16_t>> work_peers;
 	std::vector<std::pair<std::string, uint16_t>> secondary_work_peers{ { "127.0.0.1", 8076 } }; /* Default of nano-pow-server */
 	std::vector<std::string> preconfigured_peers;
+	std::vector<std::string> blocked_peers{};
 	std::vector<nano::account> preconfigured_representatives;
 	unsigned bootstrap_fraction_numerator{ 1 };
 	nano::amount receive_minimum{ nano::xrb_ratio };