Skip to content

GitLab

Commit 65874eb0 authored by Juan Batiz-Benet's avatar Juan Batiz-Benet
Browse files
Options

Merge pull request #1378 from ipfs/feat/filter 

add in basic address dial filtering
parents 3f28663f 0bf6b39c
Hide whitespace changes
Inline Side-by-side
Showing with 219 additions and 13 deletions
Godeps/Godeps.json
View file @ 65874eb0
......@@ -239,6 +239,10 @@
"ImportPath": "github.com/whyrusleeping/iptb",
"Rev": "3970c95a864f1a40037f796ff596607ce8ae43be"
},
{
"ImportPath": "github.com/whyrusleeping/multiaddr-filter",
"Rev": "15837fcc356fddef27c634b0f6379b3b7f259114"
},
{
"ImportPath": "golang.org/x/crypto/blowfish",
"Rev": "c84e1f8e3a7e322d497cd16c0e8a13c7e127baf3"
......
Godeps/_workspace/src/github.com/whyrusleeping/multiaddr-filter/mask.go 0 → 100644
View file @ 65874eb0
package mask
import (
"errors"
"net"
"strings"
)
func NewMask(a string) (*net.IPNet, error) {
parts := strings.Split(a, "/")
if len(parts) == 5 && parts[1] == "ip4" && parts[3] == "ipcidr" {
_, ipn, err := net.ParseCIDR(parts[2] + "/" + parts[4])
if err != nil {
return nil, err
}
return ipn, nil
}
return nil, errors.New("invalid format")
}
Godeps/_workspace/src/github.com/whyrusleeping/multiaddr-filter/mask_test.go 0 → 100644
View file @ 65874eb0
package mask
import (
"net"
"testing"
)
func TestFiltered(t *testing.T) {
var tests = map[string]map[string]bool{
"/ip4/10.0.0.0/ipcidr/8": map[string]bool{
"10.3.3.4": true,
"10.3.4.4": true,
"10.4.4.4": true,
"15.52.34.3": false,
},
"/ip4/192.168.0.0/ipcidr/16": map[string]bool{
"192.168.0.0": true,
"192.168.1.0": true,
"192.1.0.0": false,
"10.4.4.4": false,
},
}
for mask, set := range tests {
m, err := NewMask(mask)
if err != nil {
t.Fatal(err)
}
for addr, val := range set {
ip := net.ParseIP(addr)
if m.Contains(ip) != val {
t.Fatalf("expected contains(%s, %s) == %s", mask, addr, val)
}
}
}
}
core/core.go
View file @ 65874eb0
......@@ -13,17 +13,17 @@ import (
"errors"
"fmt"
"io"
"net"
"time"
b58 "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-base58"
ctxgroup "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-ctxgroup"
ds "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-datastore"
ma "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-multiaddr"
mamask "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/whyrusleeping/multiaddr-filter"
context "github.com/ipfs/go-ipfs/Godeps/_workspace/src/golang.org/x/net/context"
metrics "github.com/ipfs/go-ipfs/metrics"
eventlog "github.com/ipfs/go-ipfs/thirdparty/eventlog"
diag "github.com/ipfs/go-ipfs/diagnostics"
metrics "github.com/ipfs/go-ipfs/metrics"
ic "github.com/ipfs/go-ipfs/p2p/crypto"
discovery "github.com/ipfs/go-ipfs/p2p/discovery"
p2phost "github.com/ipfs/go-ipfs/p2p/host"
......@@ -32,6 +32,7 @@ import (
swarm "github.com/ipfs/go-ipfs/p2p/net/swarm"
addrutil "github.com/ipfs/go-ipfs/p2p/net/swarm/addr"
peer "github.com/ipfs/go-ipfs/p2p/peer"
eventlog "github.com/ipfs/go-ipfs/thirdparty/eventlog"
routing "github.com/ipfs/go-ipfs/routing"
dht "github.com/ipfs/go-ipfs/routing/dht"
......@@ -254,7 +255,18 @@ func (n *IpfsNode) startOnlineServices(ctx context.Context, routingOption Routin
// Set reporter
n.Reporter = metrics.NewBandwidthCounter()
peerhost, err := hostOption(ctx, n.Identity, n.Peerstore, n.Reporter)
// get undialable addrs from config
cfg := n.Repo.Config()
var addrfilter []*net.IPNet
for _, s := range cfg.DialBlocklist {
f, err := mamask.NewMask(s)
if err != nil {
return fmt.Errorf("incorrectly formatter address filter in config: %s", s)
}
addrfilter = append(addrfilter, f)
}
peerhost, err := hostOption(ctx, n.Identity, n.Peerstore, n.Reporter, addrfilter)
if err != nil {
return err
}
......@@ -508,12 +520,12 @@ func listenAddresses(cfg *config.Config) ([]ma.Multiaddr, error) {
return listen, nil
}
type HostOption func(ctx context.Context, id peer.ID, ps peer.Peerstore, bwr metrics.Reporter) (p2phost.Host, error)
type HostOption func(ctx context.Context, id peer.ID, ps peer.Peerstore, bwr metrics.Reporter, fs []*net.IPNet) (p2phost.Host, error)
var DefaultHostOption HostOption = constructPeerHost
// isolates the complex initialization steps
func constructPeerHost(ctx context.Context, id peer.ID, ps peer.Peerstore, bwr metrics.Reporter) (p2phost.Host, error) {
func constructPeerHost(ctx context.Context, id peer.ID, ps peer.Peerstore, bwr metrics.Reporter, fs []*net.IPNet) (p2phost.Host, error) {
// no addresses to begin with. we'll start later.
network, err := swarm.NewNetwork(ctx, nil, id, ps, bwr)
......
p2p/net/conn/interface.go
View file @ 65874eb0
......@@ -7,6 +7,7 @@ import (
key "github.com/ipfs/go-ipfs/blocks/key"
ic "github.com/ipfs/go-ipfs/p2p/crypto"
filter "github.com/ipfs/go-ipfs/p2p/net/filter"
peer "github.com/ipfs/go-ipfs/p2p/peer"
msgio "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-msgio"
......@@ -86,6 +87,8 @@ type Listener interface {
// LocalPeer is the identity of the local Peer.
LocalPeer() peer.ID
SetAddrFilters(*filter.Filters)
// Close closes the listener.
// Any blocked Accept operations will be unblocked and return errors.
Close() error
......
p2p/net/conn/listen.go
View file @ 65874eb0
......@@ -13,6 +13,7 @@ import (
context "github.com/ipfs/go-ipfs/Godeps/_workspace/src/golang.org/x/net/context"
ic "github.com/ipfs/go-ipfs/p2p/crypto"
filter "github.com/ipfs/go-ipfs/p2p/net/filter"
peer "github.com/ipfs/go-ipfs/p2p/peer"
)
......@@ -26,6 +27,8 @@ type listener struct {
local peer.ID // LocalPeer is the identity of the local Peer
privk ic.PrivKey // private key to use to initialize secure conns
filters *filter.Filters
wrapper ConnWrapper
cg ctxgroup.ContextGroup
......@@ -45,6 +48,10 @@ func (l *listener) String() string {
return fmt.Sprintf("<Listener %s %s>", l.local, l.Multiaddr())
}
func (l *listener) SetAddrFilters(fs *filter.Filters) {
l.filters = fs
}
// Accept waits for and returns the next connection to the listener.
// Note that unfortunately this
func (l *listener) Accept() (net.Conn, error) {
......@@ -81,6 +88,12 @@ func (l *listener) Accept() (net.Conn, error) {
}
log.Debugf("listener %s got connection: %s <---> %s", l, maconn.LocalMultiaddr(), maconn.RemoteMultiaddr())
if l.filters != nil && l.filters.AddrBlocked(maconn.RemoteMultiaddr()) {
log.Debugf("blocked connection from %s", maconn.RemoteMultiaddr())
maconn.Close()
continue
}
// If we have a wrapper func, wrap this conn
if l.wrapper != nil {
maconn = l.wrapper(maconn)
......
p2p/net/filter/filter.go 0 → 100644
View file @ 65874eb0
package filter
import (
"net"
"strings"
ma "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-multiaddr"
manet "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-multiaddr-net"
)
type Filters struct {
filters []*net.IPNet
}
func (fs *Filters) AddDialFilter(f *net.IPNet) {
fs.filters = append(fs.filters, f)
}
func (f *Filters) AddrBlocked(a ma.Multiaddr) bool {
_, addr, err := manet.DialArgs(a)
if err != nil {
// if we cant parse it, its probably not blocked
return false
}
ipstr := strings.Split(addr, ":")[0]
ip := net.ParseIP(ipstr)
for _, ft := range f.filters {
if ft.Contains(ip) {
return true
}
}
return false
}
p2p/net/swarm/swarm.go
View file @ 65874eb0
......@@ -9,6 +9,7 @@ import (
metrics "github.com/ipfs/go-ipfs/metrics"
inet "github.com/ipfs/go-ipfs/p2p/net"
filter "github.com/ipfs/go-ipfs/p2p/net/filter"
addrutil "github.com/ipfs/go-ipfs/p2p/net/swarm/addr"
peer "github.com/ipfs/go-ipfs/p2p/peer"
eventlog "github.com/ipfs/go-ipfs/thirdparty/eventlog"
......@@ -50,6 +51,9 @@ type Swarm struct {
notifmu sync.RWMutex
notifs map[inet.Notifiee]ps.Notifiee
// filters for addresses that shouldnt be dialed
Filters *filter.Filters
cg ctxgroup.ContextGroup
bwc metrics.Reporter
}
......@@ -64,13 +68,14 @@ func NewSwarm(ctx context.Context, listenAddrs []ma.Multiaddr,
}
s := &Swarm{
swarm: ps.NewSwarm(PSTransport),
local: local,
peers: peers,
cg: ctxgroup.WithContext(ctx),
dialT: DialTimeout,
notifs: make(map[inet.Notifiee]ps.Notifiee),
bwc: bwc,
swarm: ps.NewSwarm(PSTransport),
local: local,
peers: peers,
cg: ctxgroup.WithContext(ctx),
dialT: DialTimeout,
notifs: make(map[inet.Notifiee]ps.Notifiee),
bwc: bwc,
Filters: new(filter.Filters),
}
// configure Swarm
......
p2p/net/swarm/swarm_dial.go
View file @ 65874eb0
......@@ -303,6 +303,7 @@ func (s *Swarm) dial(ctx context.Context, p peer.ID) (*Conn, error) {
ila, _ := s.InterfaceListenAddresses()
remoteAddrs = addrutil.Subtract(remoteAddrs, ila)
remoteAddrs = addrutil.Subtract(remoteAddrs, s.peers.Addrs(s.local))
log.Debugf("%s swarm dialing %s -- local:%s remote:%s", s.local, p, s.ListenAddresses(), remoteAddrs)
if len(remoteAddrs) == 0 {
err := errors.New("peer has no addresses")
......@@ -310,6 +311,13 @@ func (s *Swarm) dial(ctx context.Context, p peer.ID) (*Conn, error) {
return nil, err
}
remoteAddrs = s.filterAddrs(remoteAddrs)
if len(remoteAddrs) == 0 {
err := errors.New("all adresses for peer have been filtered out")
logdial["error"] = err
return nil, err
}
// open connection to peer
d := &conn.Dialer{
Dialer: manet.Dialer{
......@@ -454,6 +462,16 @@ func (s *Swarm) dialAddr(ctx context.Context, d *conn.Dialer, p peer.ID, addr ma
return connC, nil
}
func (s *Swarm) filterAddrs(addrs []ma.Multiaddr) []ma.Multiaddr {
var out []ma.Multiaddr
for _, a := range addrs {
if !s.Filters.AddrBlocked(a) {
out = append(out, a)
}
}
return out
}
// dialConnSetup is the setup logic for a connection from the dial side. it
// needs to add the Conn to the StreamSwarm, then run newConnSetup
func dialConnSetup(ctx context.Context, s *Swarm, connC conn.Conn) (*Conn, error) {
......
p2p/net/swarm/swarm_listen.go
View file @ 65874eb0
......@@ -69,6 +69,8 @@ func (s *Swarm) setupListener(maddr ma.Multiaddr) error {
return err
}
list.SetAddrFilters(s.Filters)
if cw, ok := list.(conn.ListenerConnWrapper); ok {
cw.SetConnWrapper(func(c manet.Conn) manet.Conn {
return mconn.WrapConn(s.bwc, c)
......
p2p/net/swarm/swarm_test.go
View file @ 65874eb0
......@@ -4,6 +4,7 @@ import (
"bytes"
"fmt"
"io"
"net"
"sync"
"testing"
"time"
......@@ -270,3 +271,60 @@ func TestConnHandler(t *testing.T) {
default:
}
}
func TestAddrBlocking(t *testing.T) {
ctx := context.Background()
swarms := makeSwarms(ctx, t, 2)
swarms[0].SetConnHandler(func(conn *Conn) {
t.Fatal("no connections should happen!")
})
_, block, err := net.ParseCIDR("127.0.0.1/8")
if err != nil {
t.Fatal(err)
}
swarms[1].Filters.AddDialFilter(block)
swarms[1].peers.AddAddr(swarms[0].LocalPeer(), swarms[0].ListenAddresses()[0], peer.PermanentAddrTTL)
_, err = swarms[1].Dial(context.TODO(), swarms[0].LocalPeer())
if err == nil {
t.Fatal("dial should have failed")
}
swarms[0].peers.AddAddr(swarms[1].LocalPeer(), swarms[1].ListenAddresses()[0], peer.PermanentAddrTTL)
_, err = swarms[0].Dial(context.TODO(), swarms[1].LocalPeer())
if err == nil {
t.Fatal("dial should have failed")
}
}
func TestFilterBounds(t *testing.T) {
ctx := context.Background()
swarms := makeSwarms(ctx, t, 2)
conns := make(chan struct{}, 8)
swarms[0].SetConnHandler(func(conn *Conn) {
conns <- struct{}{}
})
// Address that we wont be dialing from
_, block, err := net.ParseCIDR("192.0.0.1/8")
if err != nil {
t.Fatal(err)
}
// set filter on both sides, shouldnt matter
swarms[1].Filters.AddDialFilter(block)
swarms[0].Filters.AddDialFilter(block)
connectSwarms(t, ctx, swarms)
select {
case <-time.After(time.Second):
t.Fatal("should have gotten connection")
case <-conns:
fmt.Println("got connect")
}
}
repo/config/config.go
View file @ 65874eb0
......@@ -26,6 +26,7 @@ type Config struct {
Tour Tour // local node's tour position
Gateway Gateway // local node's gateway server options
SupernodeRouting SupernodeClientConfig // local node's routing servers (if SupernodeRouting enabled)
DialBlocklist []string
Log Log
}
......
util/sadhack/godep.go
View file @ 65874eb0
......@@ -6,4 +6,5 @@ import _ "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/dustin/go-hum
// similar to the above, only used in the tests makefile
import _ "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/whyrusleeping/iptb"
import _ "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/chriscool/go-sleep"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment