mirror of
https://gitlab.com/pulsechaincom/prysm-pulse.git
synced 2025-01-05 09:14:28 +00:00
Add Ability to Restrict Outbound Dials (#5794)
* blacklist cidr * add test * Merge refs/heads/master into p2pBlacklist
This commit is contained in:
parent
c82f2d5657
commit
aeb6dc13ac
@ -64,6 +64,7 @@ var appFlags = []cli.Flag{
|
|||||||
cmd.P2PPrivKey,
|
cmd.P2PPrivKey,
|
||||||
cmd.P2PMetadata,
|
cmd.P2PMetadata,
|
||||||
cmd.P2PWhitelist,
|
cmd.P2PWhitelist,
|
||||||
|
cmd.P2PBlacklist,
|
||||||
cmd.P2PEncoding,
|
cmd.P2PEncoding,
|
||||||
cmd.P2PPubsub,
|
cmd.P2PPubsub,
|
||||||
cmd.DataDirFlag,
|
cmd.DataDirFlag,
|
||||||
|
@ -320,6 +320,7 @@ func (b *BeaconNode) registerP2P(cliCtx *cli.Context) error {
|
|||||||
UDPPort: cliCtx.Uint(cmd.P2PUDPPort.Name),
|
UDPPort: cliCtx.Uint(cmd.P2PUDPPort.Name),
|
||||||
MaxPeers: cliCtx.Uint(cmd.P2PMaxPeers.Name),
|
MaxPeers: cliCtx.Uint(cmd.P2PMaxPeers.Name),
|
||||||
WhitelistCIDR: cliCtx.String(cmd.P2PWhitelist.Name),
|
WhitelistCIDR: cliCtx.String(cmd.P2PWhitelist.Name),
|
||||||
|
BlacklistCIDR: sliceutil.SplitCommaSeparated(cliCtx.StringSlice(cmd.P2PBlacklist.Name)),
|
||||||
EnableUPnP: cliCtx.Bool(cmd.EnableUPnPFlag.Name),
|
EnableUPnP: cliCtx.Bool(cmd.EnableUPnPFlag.Name),
|
||||||
DisableDiscv5: cliCtx.Bool(flags.DisableDiscv5.Name),
|
DisableDiscv5: cliCtx.Bool(flags.DisableDiscv5.Name),
|
||||||
Encoding: cliCtx.String(cmd.P2PEncoding.Name),
|
Encoding: cliCtx.String(cmd.P2PEncoding.Name),
|
||||||
|
@ -25,6 +25,7 @@ type Config struct {
|
|||||||
UDPPort uint
|
UDPPort uint
|
||||||
MaxPeers uint
|
MaxPeers uint
|
||||||
WhitelistCIDR string
|
WhitelistCIDR string
|
||||||
|
BlacklistCIDR []string
|
||||||
Encoding string
|
Encoding string
|
||||||
StateNotifier statefeed.Notifier
|
StateNotifier statefeed.Notifier
|
||||||
PubSub string
|
PubSub string
|
||||||
|
@ -26,6 +26,7 @@ func buildOptions(cfg *Config, ip net.IP, priKey *ecdsa.PrivateKey) []libp2p.Opt
|
|||||||
libp2p.EnableRelay(),
|
libp2p.EnableRelay(),
|
||||||
libp2p.ListenAddrs(listen),
|
libp2p.ListenAddrs(listen),
|
||||||
whitelistSubnet(cfg.WhitelistCIDR),
|
whitelistSubnet(cfg.WhitelistCIDR),
|
||||||
|
blacklistSubnets(cfg.BlacklistCIDR),
|
||||||
// Add one for the boot node and another for the relay, otherwise when we are close to maxPeers we will be above the high
|
// Add one for the boot node and another for the relay, otherwise when we are close to maxPeers we will be above the high
|
||||||
// water mark and continually trigger pruning.
|
// water mark and continually trigger pruning.
|
||||||
libp2p.ConnectionManager(connmgr.NewConnManager(int(cfg.MaxPeers+2), int(cfg.MaxPeers+2), 1*time.Second)),
|
libp2p.ConnectionManager(connmgr.NewConnManager(int(cfg.MaxPeers+2), int(cfg.MaxPeers+2), 1*time.Second)),
|
||||||
@ -121,3 +122,28 @@ func whitelistSubnet(cidr string) libp2p.Option {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// blacklistSubnet adds a blacklist multiaddress filter for multiple given CIDR subnets.
|
||||||
|
// Example: 192.168.0.0/16 may be used to deny connections from your local
|
||||||
|
// network.
|
||||||
|
func blacklistSubnets(mulCidrs []string) libp2p.Option {
|
||||||
|
if len(mulCidrs) == 0 {
|
||||||
|
return func(_ *libp2p.Config) error {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return func(cfg *libp2p.Config) error {
|
||||||
|
if cfg.Filters == nil {
|
||||||
|
cfg.Filters = filter.NewFilters()
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, cidr := range mulCidrs {
|
||||||
|
_, ipnet, err := net.ParseCIDR(cidr)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
cfg.Filters.AddFilter(*ipnet, filter.ActionDeny)
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -2,13 +2,18 @@ package p2p
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"context"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"os"
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/libp2p/go-libp2p"
|
||||||
"github.com/libp2p/go-libp2p-core/crypto"
|
"github.com/libp2p/go-libp2p-core/crypto"
|
||||||
|
"github.com/libp2p/go-libp2p-core/peer"
|
||||||
|
"github.com/multiformats/go-multiaddr"
|
||||||
"github.com/prysmaticlabs/prysm/shared/testutil"
|
"github.com/prysmaticlabs/prysm/shared/testutil"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -58,3 +63,54 @@ func TestPrivateKeyLoading(t *testing.T) {
|
|||||||
t.Errorf("Private keys do not match got %#x but wanted %#x", rawBytes, newRaw)
|
t.Errorf("Private keys do not match got %#x but wanted %#x", rawBytes, newRaw)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestPeerBlacklist(t *testing.T) {
|
||||||
|
// create host with blacklist
|
||||||
|
ipAddr, pkey := createAddrAndPrivKey(t)
|
||||||
|
ipAddr2, pkey2 := createAddrAndPrivKey(t)
|
||||||
|
|
||||||
|
mask := ipAddr2.DefaultMask()
|
||||||
|
ones, _ := mask.Size()
|
||||||
|
maskedIP := ipAddr2.Mask(mask)
|
||||||
|
cidr := maskedIP.String() + fmt.Sprintf("/%d", ones)
|
||||||
|
|
||||||
|
listen, err := multiaddr.NewMultiaddr(fmt.Sprintf("/ip4/%s/tcp/%d", ipAddr, 2000))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Failed to p2p listen: %v", err)
|
||||||
|
}
|
||||||
|
h1, err := libp2p.New(context.Background(), []libp2p.Option{privKeyOption(pkey), libp2p.ListenAddrs(listen), blacklistSubnets([]string{cidr})}...)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
defer func() {
|
||||||
|
err := h1.Close()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
|
||||||
|
// create alternate host
|
||||||
|
listen, err = multiaddr.NewMultiaddr(fmt.Sprintf("/ip4/%s/tcp/%d", ipAddr2, 3000))
|
||||||
|
if err != nil {
|
||||||
|
t.Fatalf("Failed to p2p listen: %v", err)
|
||||||
|
}
|
||||||
|
h2, err := libp2p.New(context.Background(), []libp2p.Option{privKeyOption(pkey2), libp2p.ListenAddrs(listen)}...)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
defer func() {
|
||||||
|
err := h2.Close()
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
multiAddress, err := multiaddr.NewMultiaddr(fmt.Sprintf("/ip4/%s/tcp/%d/p2p/%s", ipAddr2, 3000, h2.ID()))
|
||||||
|
addrInfo, err := peer.AddrInfoFromP2pAddr(multiAddress)
|
||||||
|
if err != nil {
|
||||||
|
t.Fatal(err)
|
||||||
|
}
|
||||||
|
err = h1.Connect(context.Background(), *addrInfo)
|
||||||
|
if err == nil {
|
||||||
|
t.Error("Wanted connection to fail with blacklist")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -109,6 +109,7 @@ var appHelpFlagGroups = []flagGroup{
|
|||||||
cmd.P2PPrivKey,
|
cmd.P2PPrivKey,
|
||||||
cmd.P2PMetadata,
|
cmd.P2PMetadata,
|
||||||
cmd.P2PWhitelist,
|
cmd.P2PWhitelist,
|
||||||
|
cmd.P2PBlacklist,
|
||||||
cmd.StaticPeers,
|
cmd.StaticPeers,
|
||||||
cmd.EnableUPnPFlag,
|
cmd.EnableUPnPFlag,
|
||||||
cmd.P2PEncoding,
|
cmd.P2PEncoding,
|
||||||
|
@ -125,6 +125,13 @@ var (
|
|||||||
"would whitelist connections to peers on your local network only. The default " +
|
"would whitelist connections to peers on your local network only. The default " +
|
||||||
"is to accept all connections.",
|
"is to accept all connections.",
|
||||||
}
|
}
|
||||||
|
// P2PBlacklist defines a list of CIDR subnets to disallow connections from them.
|
||||||
|
P2PBlacklist = &cli.StringSliceFlag{
|
||||||
|
Name: "p2p-blacklist",
|
||||||
|
Usage: "The CIDR subnets for blacklisting peer connections. Example: 192.168.0.0/16 " +
|
||||||
|
"would blacklist connections from peers on your local network only. The default " +
|
||||||
|
"is to accept all connections.",
|
||||||
|
}
|
||||||
// P2PEncoding defines the encoding format for p2p messages.
|
// P2PEncoding defines the encoding format for p2p messages.
|
||||||
P2PEncoding = &cli.StringFlag{
|
P2PEncoding = &cli.StringFlag{
|
||||||
Name: "p2p-encoding",
|
Name: "p2p-encoding",
|
||||||
|
Loading…
Reference in New Issue
Block a user