From ea3ea876733eff4cd5b33d4032ef0a697cbfd342 Mon Sep 17 00:00:00 2001 From: Mostafa Date: Sat, 4 Nov 2023 03:22:33 +0800 Subject: [PATCH 1/2] feat(network): filter private ips --- config/example_config.toml | 4 +++ network/config.go | 2 ++ network/network.go | 68 +++++++++++++++++++++++++++----------- network/network_test.go | 1 + network/utils.go | 46 +++++++++++++++++++++++++- tests/main_test.go | 1 + 6 files changed, 102 insertions(+), 20 deletions(-) diff --git a/config/example_config.toml b/config/example_config.toml index a474da16f..4ddafb915 100644 --- a/config/example_config.toml +++ b/config/example_config.toml @@ -62,6 +62,10 @@ # Default is false. ## enable_metrics = false + # `private_network` if enabled, connects to nodes in the private network. + # Default is false. + ## private_network = false + # `bootstrapper` if enabled, it runs the node in bootstrap mode. # Default is false. ## bootstrapper = false diff --git a/network/config.go b/network/config.go index efa2400f0..8fedbb10f 100644 --- a/network/config.go +++ b/network/config.go @@ -18,6 +18,7 @@ type Config struct { EnableRelay bool `toml:"enable_relay"` EnableMdns bool `toml:"enable_mdns"` EnableMetrics bool `toml:"enable_metrics"` + PrivateNetwork bool `toml:"private_network"` Bootstrapper bool `toml:"bootstrapper"` } @@ -54,6 +55,7 @@ func DefaultConfig() *Config { EnableRelay: false, EnableMdns: false, EnableMetrics: false, + PrivateNetwork: false, Bootstrapper: false, } } diff --git a/network/network.go b/network/network.go index 54369dd95..314b1c8fc 100644 --- a/network/network.go +++ b/network/network.go @@ -13,6 +13,7 @@ import ( lp2phost "github.com/libp2p/go-libp2p/core/host" lp2ppeer "github.com/libp2p/go-libp2p/core/peer" lp2prcmgr "github.com/libp2p/go-libp2p/p2p/host/resource-manager" + lp2pconngater "github.com/libp2p/go-libp2p/p2p/net/conngater" lp2pconnmgr "github.com/libp2p/go-libp2p/p2p/net/connmgr" ma "github.com/multiformats/go-multiaddr" "github.com/pactus-project/pactus/util" @@ -103,25 +104,25 @@ func newNetwork(networkName string, conf *Config, opts []lp2p.Option) (*network, maxConns := conf.MaxConns minConns := conf.MinConns limit := lp2prcmgr.DefaultLimits - limit.SystemBaseLimit.ConnsInbound = logScale(maxConns) - limit.SystemBaseLimit.Conns = logScale(2 * maxConns) - limit.SystemBaseLimit.StreamsInbound = logScale(maxConns) - limit.SystemBaseLimit.Streams = logScale(2 * maxConns) - - limit.ServiceLimitIncrease.ConnsInbound = logScale(minConns) - limit.ServiceLimitIncrease.Conns = logScale(2 * minConns) - limit.ServiceLimitIncrease.StreamsInbound = logScale(minConns) - limit.ServiceLimitIncrease.Streams = logScale(2 * minConns) - - limit.TransientBaseLimit.ConnsInbound = logScale(maxConns / 2) - limit.TransientBaseLimit.Conns = logScale(2 * maxConns / 2) - limit.TransientBaseLimit.StreamsInbound = logScale(maxConns / 2) - limit.TransientBaseLimit.Streams = logScale(2 * maxConns / 2) - - limit.TransientLimitIncrease.ConnsInbound = logScale(minConns / 2) - limit.TransientLimitIncrease.Conns = logScale(2 * minConns / 2) - limit.TransientLimitIncrease.StreamsInbound = logScale(minConns / 2) - limit.TransientLimitIncrease.Streams = logScale(2 * minConns / 2) + limit.SystemBaseLimit.ConnsInbound = LogScale(maxConns) + limit.SystemBaseLimit.Conns = LogScale(2 * maxConns) + limit.SystemBaseLimit.StreamsInbound = LogScale(maxConns) + limit.SystemBaseLimit.Streams = LogScale(2 * maxConns) + + limit.ServiceLimitIncrease.ConnsInbound = LogScale(minConns) + limit.ServiceLimitIncrease.Conns = LogScale(2 * minConns) + limit.ServiceLimitIncrease.StreamsInbound = LogScale(minConns) + limit.ServiceLimitIncrease.Streams = LogScale(2 * minConns) + + limit.TransientBaseLimit.ConnsInbound = LogScale(maxConns / 2) + limit.TransientBaseLimit.Conns = LogScale(2 * maxConns / 2) + limit.TransientBaseLimit.StreamsInbound = LogScale(maxConns / 2) + limit.TransientBaseLimit.Streams = LogScale(2 * maxConns / 2) + + limit.TransientLimitIncrease.ConnsInbound = LogScale(minConns / 2) + limit.TransientLimitIncrease.Conns = LogScale(2 * minConns / 2) + limit.TransientLimitIncrease.StreamsInbound = LogScale(minConns / 2) + limit.TransientLimitIncrease.Streams = LogScale(2 * minConns / 2) resMgr, err := lp2prcmgr.NewResourceManager( lp2prcmgr.NewFixedLimiter(limit.AutoScale()), @@ -185,6 +186,35 @@ func newNetwork(networkName string, conf *Config, opts []lp2p.Option) (*network, ) } + // TODO: should include relay addresses + privateSubnets := PrivateSubnets() + privateFilters := SubnetsToFilters(privateSubnets, ma.ActionDeny) + addrFactory := lp2p.AddrsFactory(func(as []ma.Multiaddr) []ma.Multiaddr { + addrs := []ma.Multiaddr{} + for _, addr := range as { + if conf.PrivateNetwork || !privateFilters.AddrBlocked(addr) { + addrs = append(addrs, addr) + } + } + return addrs + }) + + if !conf.PrivateNetwork { + connGater, err := lp2pconngater.NewBasicConnectionGater(nil) + if err != nil { + return nil, LibP2PError{Err: err} + } + for _, sn := range privateSubnets { + err := connGater.BlockSubnet(sn) + if err != nil { + return nil, LibP2PError{Err: err} + } + } + opts = append(opts, lp2p.ConnectionGater(connGater)) + } + + opts = append(opts, addrFactory) + host, err := lp2p.New(opts...) if err != nil { return nil, LibP2PError{Err: err} diff --git a/network/network_test.go b/network/network_test.go index 92edd738c..85f0c77a0 100644 --- a/network/network_test.go +++ b/network/network_test.go @@ -64,6 +64,7 @@ func testConfig() *Config { EnableNAT: false, EnableRelay: false, EnableMdns: false, + PrivateNetwork: true, } } diff --git a/network/utils.go b/network/utils.go index 0ffe2dd55..fe37fa74b 100644 --- a/network/utils.go +++ b/network/utils.go @@ -3,6 +3,7 @@ package network import ( "context" "math/bits" + "net" "time" lp2phost "github.com/libp2p/go-libp2p/core/host" @@ -59,7 +60,50 @@ func ConnectAsync(ctx context.Context, h lp2phost.Host, addrInfo lp2ppeer.AddrIn }() } -func logScale(val int) int { +func LogScale(val int) int { bitlen := bits.Len(uint(val)) return 1 << bitlen } + +func PrivateSubnets() []*net.IPNet { + privateCIDRs := []string{ + // -- Ipv4 -- + // localhost + "127.0.0.0/8", + // private networks + "10.0.0.0/8", + "100.64.0.0/10", + "172.16.0.0/12", + "192.168.0.0/16", + // link local + "169.254.0.0/16", + + // -- Ipv6 -- + // localhost + "::1/128", + // ULA reserved + "fc00::/7", + // link local + "fe80::/10", + } + + subnets := []*net.IPNet{} + for _, cidr := range privateCIDRs { + _, sn, err := net.ParseCIDR(cidr) + if err != nil { + panic(err) + } + subnets = append(subnets, sn) + } + + return subnets +} + +func SubnetsToFilters(subnets []*net.IPNet, action multiaddr.Action) *multiaddr.Filters { + filters := multiaddr.NewFilters() + for _, sn := range subnets { + filters.AddFilter(*sn, action) + } + + return filters +} diff --git a/tests/main_test.go b/tests/main_test.go index 495a68858..e9020d357 100644 --- a/tests/main_test.go +++ b/tests/main_test.go @@ -82,6 +82,7 @@ func TestMain(m *testing.M) { tConfigs[i].Sync.NodeNetwork = false tConfigs[i].Sync.Firewall.Enabled = false tConfigs[i].Network.EnableMdns = true + tConfigs[i].Network.PrivateNetwork = true tConfigs[i].Network.Bootstrapper = true tConfigs[i].Network.NetworkKey = util.TempFilePath() tConfigs[i].Network.Listens = []string{"/ip4/127.0.0.1/tcp/0", "/ip4/127.0.0.1/udp/0/quic-v1"} From 06718b68b96ffc7fe33bdb6567a8f904fc286f3e Mon Sep 17 00:00:00 2001 From: Mostafa Date: Sat, 4 Nov 2023 03:34:53 +0800 Subject: [PATCH 2/2] chore: adding a log message --- network/network.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/network/network.go b/network/network.go index 314b1c8fc..47f8c023e 100644 --- a/network/network.go +++ b/network/network.go @@ -194,6 +194,9 @@ func newNetwork(networkName string, conf *Config, opts []lp2p.Option) (*network, for _, addr := range as { if conf.PrivateNetwork || !privateFilters.AddrBlocked(addr) { addrs = append(addrs, addr) + } else { + // TODO: remove me later + logger.Debug("private ip filtered", "ip", conf.PrivateNetwork) } } return addrs