mirror of
https://gitlab.com/pulsechaincom/prysm-pulse.git
synced 2025-01-10 11:41:21 +00:00
e52df323f7
* Added public/private flags for IP address white/blacklisting * Provided reference docs for private IP address ranges * Formatting changes and inline comments for private ip address specification * @nisdas feedback, commentary fixes * Added in inverse case where we allow for private address * changed helper function to take in multiaddr Action as argument, syntax changes for control logic * minor refactoring to control flow of configFilter and private addr filter helper function Co-authored-by: Raul Jordan <raul@prysmaticlabs.com> Co-authored-by: Preston Van Loon <preston@prysmaticlabs.com> Co-authored-by: Nishant Das <nishdas93@gmail.com>
212 lines
6.5 KiB
Go
212 lines
6.5 KiB
Go
package p2p
|
|
|
|
import (
|
|
"net"
|
|
"runtime"
|
|
|
|
"github.com/libp2p/go-libp2p-core/control"
|
|
"github.com/libp2p/go-libp2p-core/network"
|
|
"github.com/libp2p/go-libp2p-core/peer"
|
|
"github.com/multiformats/go-multiaddr"
|
|
manet "github.com/multiformats/go-multiaddr/net"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const (
|
|
// Limit for rate limiter when processing new inbound dials.
|
|
ipLimit = 4
|
|
|
|
// Burst limit for inbound dials.
|
|
ipBurst = 8
|
|
|
|
// High watermark buffer signifies the buffer till which
|
|
// we will handle inbound requests.
|
|
highWatermarkBuffer = 10
|
|
)
|
|
|
|
// InterceptPeerDial tests whether we're permitted to Dial the specified peer.
|
|
func (s *Service) InterceptPeerDial(_ peer.ID) (allow bool) {
|
|
return true
|
|
}
|
|
|
|
// InterceptAddrDial tests whether we're permitted to dial the specified
|
|
// multiaddr for the given peer.
|
|
func (s *Service) InterceptAddrDial(pid peer.ID, m multiaddr.Multiaddr) (allow bool) {
|
|
// Disallow bad peers from dialing in.
|
|
if s.peers.IsBad(pid) {
|
|
return false
|
|
}
|
|
return filterConnections(s.addrFilter, m)
|
|
}
|
|
|
|
// InterceptAccept checks whether the incidental inbound connection is allowed.
|
|
func (s *Service) InterceptAccept(n network.ConnMultiaddrs) (allow bool) {
|
|
if !s.validateDial(n.RemoteMultiaddr()) {
|
|
// Allow other go-routines to run in the event
|
|
// we receive a large amount of junk connections.
|
|
runtime.Gosched()
|
|
log.WithFields(logrus.Fields{"peer": n.RemoteMultiaddr(),
|
|
"reason": "exceeded dial limit"}).Trace("Not accepting inbound dial from ip address")
|
|
return false
|
|
}
|
|
if s.isPeerAtLimit(true /* inbound */) {
|
|
log.WithFields(logrus.Fields{"peer": n.RemoteMultiaddr(),
|
|
"reason": "at peer limit"}).Trace("Not accepting inbound dial")
|
|
return false
|
|
}
|
|
return filterConnections(s.addrFilter, n.RemoteMultiaddr())
|
|
}
|
|
|
|
// InterceptSecured tests whether a given connection, now authenticated,
|
|
// is allowed.
|
|
func (s *Service) InterceptSecured(_ network.Direction, _ peer.ID, _ network.ConnMultiaddrs) (allow bool) {
|
|
return true
|
|
}
|
|
|
|
// InterceptUpgraded tests whether a fully capable connection is allowed.
|
|
func (s *Service) InterceptUpgraded(_ network.Conn) (allow bool, reason control.DisconnectReason) {
|
|
return true, 0
|
|
}
|
|
|
|
func (s *Service) validateDial(addr multiaddr.Multiaddr) bool {
|
|
ip, err := manet.ToIP(addr)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
remaining := s.ipLimiter.Remaining(ip.String())
|
|
if remaining <= 0 {
|
|
return false
|
|
}
|
|
s.ipLimiter.Add(ip.String(), 1)
|
|
return true
|
|
}
|
|
|
|
var privateCIDRList = []string{
|
|
// Private ip addresses specified by rfc-1918.
|
|
// See: https://tools.ietf.org/html/rfc1918
|
|
"10.0.0.0/8",
|
|
"172.16.0.0/12",
|
|
"192.168.0.0/16",
|
|
// Reserved address space for CGN devices, specified by rfc-6598
|
|
// See: https://tools.ietf.org/html/rfc6598
|
|
"100.64.0.0/10",
|
|
// IPv4 Link-Local addresses, specified by rfc-3926
|
|
// See: https://tools.ietf.org/html/rfc3927
|
|
"169.254.0.0/16",
|
|
}
|
|
|
|
// configureFilter looks at the provided allow lists and
|
|
// deny lists to appropriately create a filter.
|
|
func configureFilter(cfg *Config) (*multiaddr.Filters, error) {
|
|
addrFilter := multiaddr.NewFilters()
|
|
var privErr error
|
|
switch {
|
|
case cfg.AllowListCIDR == "public":
|
|
cfg.DenyListCIDR = append(cfg.DenyListCIDR, privateCIDRList...)
|
|
case cfg.AllowListCIDR == "private":
|
|
addrFilter, privErr = privateCIDRFilter(addrFilter, multiaddr.ActionAccept)
|
|
if privErr != nil {
|
|
return nil, privErr
|
|
}
|
|
case cfg.AllowListCIDR != "":
|
|
_, ipnet, err := net.ParseCIDR(cfg.AllowListCIDR)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
addrFilter.AddFilter(*ipnet, multiaddr.ActionAccept)
|
|
}
|
|
|
|
// Configure from provided deny list in the config.
|
|
if len(cfg.DenyListCIDR) > 0 {
|
|
for _, cidr := range cfg.DenyListCIDR {
|
|
// If an entry in the deny list is "private", we iterate through the
|
|
// private addresses and add them to the filter. Likewise, if the deny
|
|
// list is "public", then we add all private address to the accept filter,
|
|
switch {
|
|
case cidr == "private":
|
|
addrFilter, privErr = privateCIDRFilter(addrFilter, multiaddr.ActionDeny)
|
|
if privErr != nil {
|
|
return nil, privErr
|
|
}
|
|
continue
|
|
case cidr == "public":
|
|
addrFilter, privErr = privateCIDRFilter(addrFilter, multiaddr.ActionAccept)
|
|
if privErr != nil {
|
|
return nil, privErr
|
|
}
|
|
continue
|
|
}
|
|
_, ipnet, err := net.ParseCIDR(cidr)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// Check if the address already has an action associated with it
|
|
// If this address was previously accepted, log a warning before placing
|
|
// it in the deny filter
|
|
action, _ := addrFilter.ActionForFilter(*ipnet)
|
|
if action == multiaddr.ActionAccept {
|
|
log.Warnf("Address %s is in conflict with previous rule.", ipnet.String())
|
|
}
|
|
addrFilter.AddFilter(*ipnet, multiaddr.ActionDeny)
|
|
}
|
|
}
|
|
return addrFilter, nil
|
|
}
|
|
|
|
//helper function to either accept or deny all private addresses
|
|
//if a new rule for a private address is in conflict with a previous one, log a warning
|
|
func privateCIDRFilter(addrFilter *multiaddr.Filters, action multiaddr.Action) (*multiaddr.Filters, error) {
|
|
for _, privCidr := range privateCIDRList {
|
|
_, ipnet, err := net.ParseCIDR(privCidr)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
// Get the current filter action for the address
|
|
// If it conflicts with the action given by the function call,
|
|
// log a warning
|
|
curAction, _ := addrFilter.ActionForFilter(*ipnet)
|
|
switch {
|
|
case action == multiaddr.ActionAccept:
|
|
if curAction == multiaddr.ActionDeny {
|
|
log.Warnf("Address %s is in conflict with previous rule.", ipnet.String())
|
|
}
|
|
case action == multiaddr.ActionDeny:
|
|
if curAction == multiaddr.ActionAccept {
|
|
log.Warnf("Address %s is in conflict with previous rule.", ipnet.String())
|
|
}
|
|
}
|
|
addrFilter.AddFilter(*ipnet, action)
|
|
}
|
|
return addrFilter, nil
|
|
}
|
|
|
|
// filterConnections checks the appropriate ip subnets from our
|
|
// filter and decides what to do with them. By default libp2p
|
|
// accepts all incoming dials, so if we have an allow list
|
|
// we will reject all inbound dials except for those in the
|
|
// appropriate ip subnets.
|
|
func filterConnections(f *multiaddr.Filters, a multiaddr.Multiaddr) bool {
|
|
acceptedNets := f.FiltersForAction(multiaddr.ActionAccept)
|
|
restrictConns := len(acceptedNets) != 0
|
|
|
|
// If we have an allow list added in, we by default reject all
|
|
// connection attempts except for those coming in from the
|
|
// appropriate ip subnets.
|
|
if restrictConns {
|
|
ip, err := manet.ToIP(a)
|
|
if err != nil {
|
|
log.Tracef("Multiaddress has invalid ip: %v", err)
|
|
return false
|
|
}
|
|
found := false
|
|
for _, ipnet := range acceptedNets {
|
|
if ipnet.Contains(ip) {
|
|
found = true
|
|
break
|
|
}
|
|
}
|
|
return found
|
|
}
|
|
return !f.AddrBlocked(a)
|
|
}
|