Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add in basic address dial filtering #1378

Merged
merged 3 commits into from
Jun 24, 2015
Merged

add in basic address dial filtering #1378

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e01f8e4
add in basic address dial filtering
whyrusleeping Jun 16, 2015
fbab2a7
broke filters out into a struct
whyrusleeping Jun 17, 2015
0bf6b39
filter incoming connections and add a test of functionality
whyrusleeping Jun 17, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Godeps/Godeps.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions Godeps/_workspace/src/github.com/whyrusleeping/multiaddr-filter/mask.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

36 changes: 36 additions & 0 deletions Godeps/_workspace/src/github.com/whyrusleeping/multiaddr-filter/mask_test.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 18 additions & 6 deletions core/core.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,17 @@ import (
"errors"
"fmt"
"io"
"net"
"time"

b58 "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-base58"
ctxgroup "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-ctxgroup"
ds "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-datastore"
ma "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-multiaddr"
mamask "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/whyrusleeping/multiaddr-filter"
context "github.com/ipfs/go-ipfs/Godeps/_workspace/src/golang.org/x/net/context"
metrics "github.com/ipfs/go-ipfs/metrics"
eventlog "github.com/ipfs/go-ipfs/thirdparty/eventlog"

diag "github.com/ipfs/go-ipfs/diagnostics"
metrics "github.com/ipfs/go-ipfs/metrics"
ic "github.com/ipfs/go-ipfs/p2p/crypto"
discovery "github.com/ipfs/go-ipfs/p2p/discovery"
p2phost "github.com/ipfs/go-ipfs/p2p/host"
Expand All @@ -32,6 +32,7 @@ import (
swarm "github.com/ipfs/go-ipfs/p2p/net/swarm"
addrutil "github.com/ipfs/go-ipfs/p2p/net/swarm/addr"
peer "github.com/ipfs/go-ipfs/p2p/peer"
eventlog "github.com/ipfs/go-ipfs/thirdparty/eventlog"

routing "github.com/ipfs/go-ipfs/routing"
dht "github.com/ipfs/go-ipfs/routing/dht"
Expand Down Expand Up @@ -254,7 +255,18 @@ func (n *IpfsNode) startOnlineServices(ctx context.Context, routingOption Routin
// Set reporter
n.Reporter = metrics.NewBandwidthCounter()

peerhost, err := hostOption(ctx, n.Identity, n.Peerstore, n.Reporter)
// get undialable addrs from config
cfg := n.Repo.Config()
var addrfilter []*net.IPNet
for _, s := range cfg.DialBlocklist {
f, err := mamask.NewMask(s)
if err != nil {
return fmt.Errorf("incorrectly formatter address filter in config: %s", s)
}
addrfilter = append(addrfilter, f)
}

peerhost, err := hostOption(ctx, n.Identity, n.Peerstore, n.Reporter, addrfilter)
if err != nil {
return err
}
Expand Down Expand Up @@ -508,12 +520,12 @@ func listenAddresses(cfg *config.Config) ([]ma.Multiaddr, error) {
return listen, nil
}

type HostOption func(ctx context.Context, id peer.ID, ps peer.Peerstore, bwr metrics.Reporter) (p2phost.Host, error)
type HostOption func(ctx context.Context, id peer.ID, ps peer.Peerstore, bwr metrics.Reporter, fs []*net.IPNet) (p2phost.Host, error)

var DefaultHostOption HostOption = constructPeerHost

// isolates the complex initialization steps
func constructPeerHost(ctx context.Context, id peer.ID, ps peer.Peerstore, bwr metrics.Reporter) (p2phost.Host, error) {
func constructPeerHost(ctx context.Context, id peer.ID, ps peer.Peerstore, bwr metrics.Reporter, fs []*net.IPNet) (p2phost.Host, error) {

// no addresses to begin with. we'll start later.
network, err := swarm.NewNetwork(ctx, nil, id, ps, bwr)
Expand Down
3 changes: 3 additions & 0 deletions p2p/net/conn/interface.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (

key "github.com/ipfs/go-ipfs/blocks/key"
ic "github.com/ipfs/go-ipfs/p2p/crypto"
filter "github.com/ipfs/go-ipfs/p2p/net/filter"
peer "github.com/ipfs/go-ipfs/p2p/peer"

msgio "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-msgio"
Expand Down Expand Up @@ -86,6 +87,8 @@ type Listener interface {
// LocalPeer is the identity of the local Peer.
LocalPeer() peer.ID

SetAddrFilters(*filter.Filters)

// Close closes the listener.
// Any blocked Accept operations will be unblocked and return errors.
Close() error
Expand Down
13 changes: 13 additions & 0 deletions p2p/net/conn/listen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
context "github.com/ipfs/go-ipfs/Godeps/_workspace/src/golang.org/x/net/context"

ic "github.com/ipfs/go-ipfs/p2p/crypto"
filter "github.com/ipfs/go-ipfs/p2p/net/filter"
peer "github.com/ipfs/go-ipfs/p2p/peer"
)

Expand All @@ -26,6 +27,8 @@ type listener struct {
local peer.ID // LocalPeer is the identity of the local Peer
privk ic.PrivKey // private key to use to initialize secure conns

filters *filter.Filters

wrapper ConnWrapper

cg ctxgroup.ContextGroup
Expand All @@ -45,6 +48,10 @@ func (l *listener) String() string {
return fmt.Sprintf("<Listener %s %s>", l.local, l.Multiaddr())
}

func (l *listener) SetAddrFilters(fs *filter.Filters) {
l.filters = fs
}

// Accept waits for and returns the next connection to the listener.
// Note that unfortunately this
func (l *listener) Accept() (net.Conn, error) {
Expand Down Expand Up @@ -81,6 +88,12 @@ func (l *listener) Accept() (net.Conn, error) {
}

log.Debugf("listener %s got connection: %s <---> %s", l, maconn.LocalMultiaddr(), maconn.RemoteMultiaddr())

if l.filters != nil && l.filters.AddrBlocked(maconn.RemoteMultiaddr()) {
log.Debugf("blocked connection from %s", maconn.RemoteMultiaddr())
maconn.Close()
continue
}
// If we have a wrapper func, wrap this conn
if l.wrapper != nil {
maconn = l.wrapper(maconn)
Expand Down
34 changes: 34 additions & 0 deletions p2p/net/filter/filter.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package filter

import (
"net"
"strings"

ma "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-multiaddr"
manet "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/jbenet/go-multiaddr-net"
)

type Filters struct {
filters []*net.IPNet
}

func (fs *Filters) AddDialFilter(f *net.IPNet) {
fs.filters = append(fs.filters, f)
}

func (f *Filters) AddrBlocked(a ma.Multiaddr) bool {
_, addr, err := manet.DialArgs(a)
if err != nil {
// if we cant parse it, its probably not blocked
return false
}

ipstr := strings.Split(addr, ":")[0]
ip := net.ParseIP(ipstr)
for _, ft := range f.filters {
if ft.Contains(ip) {
return true
}
}
return false
}
19 changes: 12 additions & 7 deletions p2p/net/swarm/swarm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (

metrics "github.com/ipfs/go-ipfs/metrics"
inet "github.com/ipfs/go-ipfs/p2p/net"
filter "github.com/ipfs/go-ipfs/p2p/net/filter"
addrutil "github.com/ipfs/go-ipfs/p2p/net/swarm/addr"
peer "github.com/ipfs/go-ipfs/p2p/peer"
eventlog "github.com/ipfs/go-ipfs/thirdparty/eventlog"
Expand Down Expand Up @@ -50,6 +51,9 @@ type Swarm struct {
notifmu sync.RWMutex
notifs map[inet.Notifiee]ps.Notifiee

// filters for addresses that shouldnt be dialed
Filters *filter.Filters

cg ctxgroup.ContextGroup
bwc metrics.Reporter
}
Expand All @@ -64,13 +68,14 @@ func NewSwarm(ctx context.Context, listenAddrs []ma.Multiaddr,
}

s := &Swarm{
swarm: ps.NewSwarm(PSTransport),
local: local,
peers: peers,
cg: ctxgroup.WithContext(ctx),
dialT: DialTimeout,
notifs: make(map[inet.Notifiee]ps.Notifiee),
bwc: bwc,
swarm: ps.NewSwarm(PSTransport),
local: local,
peers: peers,
cg: ctxgroup.WithContext(ctx),
dialT: DialTimeout,
notifs: make(map[inet.Notifiee]ps.Notifiee),
bwc: bwc,
Filters: new(filter.Filters),
}

// configure Swarm
Expand Down
18 changes: 18 additions & 0 deletions p2p/net/swarm/swarm_dial.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,13 +303,21 @@ func (s *Swarm) dial(ctx context.Context, p peer.ID) (*Conn, error) {
ila, _ := s.InterfaceListenAddresses()
remoteAddrs = addrutil.Subtract(remoteAddrs, ila)
remoteAddrs = addrutil.Subtract(remoteAddrs, s.peers.Addrs(s.local))

log.Debugf("%s swarm dialing %s -- local:%s remote:%s", s.local, p, s.ListenAddresses(), remoteAddrs)
if len(remoteAddrs) == 0 {
err := errors.New("peer has no addresses")
logdial["error"] = err
return nil, err
}

remoteAddrs = s.filterAddrs(remoteAddrs)
if len(remoteAddrs) == 0 {
err := errors.New("all adresses for peer have been filtered out")
logdial["error"] = err
return nil, err
}

// open connection to peer
d := &conn.Dialer{
Dialer: manet.Dialer{
Expand Down Expand Up @@ -454,6 +462,16 @@ func (s *Swarm) dialAddr(ctx context.Context, d *conn.Dialer, p peer.ID, addr ma
return connC, nil
}

func (s *Swarm) filterAddrs(addrs []ma.Multiaddr) []ma.Multiaddr {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldnt be part of the swarm, i dont think. could have the filters as a struct:

type Filters struct {
    multiaddr []ma.Multiaddr
    ipnet []*net.IPNet
}

func NewFilters(addrs []ma.Multiaddr) Filters { ... }
func (f *Filters) Filter(addrs []ma.Multiaddr) []ma.Multiaddr { ... }
func (f *Filters) Block(addr ma.Multiaddr) bool { ... }

var out []ma.Multiaddr
for _, a := range addrs {
if !s.Filters.AddrBlocked(a) {
out = append(out, a)
}
}
return out
}

// dialConnSetup is the setup logic for a connection from the dial side. it
// needs to add the Conn to the StreamSwarm, then run newConnSetup
func dialConnSetup(ctx context.Context, s *Swarm, connC conn.Conn) (*Conn, error) {
Expand Down
2 changes: 2 additions & 0 deletions p2p/net/swarm/swarm_listen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ func (s *Swarm) setupListener(maddr ma.Multiaddr) error {
return err
}

list.SetAddrFilters(s.Filters)

if cw, ok := list.(conn.ListenerConnWrapper); ok {
cw.SetConnWrapper(func(c manet.Conn) manet.Conn {
return mconn.WrapConn(s.bwc, c)
Expand Down
58 changes: 58 additions & 0 deletions p2p/net/swarm/swarm_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"bytes"
"fmt"
"io"
"net"
"sync"
"testing"
"time"
Expand Down Expand Up @@ -270,3 +271,60 @@ func TestConnHandler(t *testing.T) {
default:
}
}

func TestAddrBlocking(t *testing.T) {
ctx := context.Background()
swarms := makeSwarms(ctx, t, 2)

swarms[0].SetConnHandler(func(conn *Conn) {
t.Fatal("no connections should happen!")
})

_, block, err := net.ParseCIDR("127.0.0.1/8")
if err != nil {
t.Fatal(err)
}

swarms[1].Filters.AddDialFilter(block)

swarms[1].peers.AddAddr(swarms[0].LocalPeer(), swarms[0].ListenAddresses()[0], peer.PermanentAddrTTL)
_, err = swarms[1].Dial(context.TODO(), swarms[0].LocalPeer())
if err == nil {
t.Fatal("dial should have failed")
}

swarms[0].peers.AddAddr(swarms[1].LocalPeer(), swarms[1].ListenAddresses()[0], peer.PermanentAddrTTL)
_, err = swarms[0].Dial(context.TODO(), swarms[1].LocalPeer())
if err == nil {
t.Fatal("dial should have failed")
}
}

func TestFilterBounds(t *testing.T) {
ctx := context.Background()
swarms := makeSwarms(ctx, t, 2)

conns := make(chan struct{}, 8)
swarms[0].SetConnHandler(func(conn *Conn) {
conns <- struct{}{}
})

// Address that we wont be dialing from
_, block, err := net.ParseCIDR("192.0.0.1/8")
if err != nil {
t.Fatal(err)
}

// set filter on both sides, shouldnt matter
swarms[1].Filters.AddDialFilter(block)
swarms[0].Filters.AddDialFilter(block)

connectSwarms(t, ctx, swarms)

select {
case <-time.After(time.Second):
t.Fatal("should have gotten connection")
case <-conns:
fmt.Println("got connect")
}
}
1 change: 1 addition & 0 deletions repo/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ type Config struct {
Tour Tour // local node's tour position
Gateway Gateway // local node's gateway server options
SupernodeRouting SupernodeClientConfig // local node's routing servers (if SupernodeRouting enabled)
DialBlocklist []string
Log Log
}

Expand Down
1 change: 1 addition & 0 deletions util/sadhack/godep.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,5 @@ import _ "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/dustin/go-hum

// similar to the above, only used in the tests makefile
import _ "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/whyrusleeping/iptb"

import _ "github.com/ipfs/go-ipfs/Godeps/_workspace/src/github.com/chriscool/go-sleep"