honor blocked networks (-onlynet="XXX") with inbound connections #2089

Closed
wants to merge 1 commit into from

4 participants

@Diapolo
  • current code, when set e.g. -onlynet="IPv6", only prevents outgoing connections to peers via the blocked networks (in this example IPv4/ Tor)
  • this patch extends the behaviour to inbound connections, so when e.g. -onlynet="IPv6", don't allow incoming IPv4/Tor connections from peers
Philip Kaufmann honor blocked networks (-onlynet="XXX") with inbound connections
- current code, when set e.g. -onlynet="IPv6", only prevents outgoing
  connections to peers via the blocked networks (in this example IPv4/ Tor)
- this patch extends the behaviour to inbound connections, so when e.g.
  -onlynet="IPv6", don't allow incoming IPv4/Tor connections from peers
6ede344
@BitcoinPullTester

Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/6ede3440c96920062625b9b044d227632944a80c for binaries and test log.

@gmaxwell
Bitcoin member

I don't think disallowing IPv4 local connections (e.g. from mining daemons and monitoring tools) is a desired effect of onlynet. I suspect this will also block all onion peers even when onlynet tor, though I haven't actually tried it.

@Diapolo

IMHO when we have a switch to block certain networks, this should include ALL connections (in- and outbound). What did we intend with -onlynet otherwise?

If people really want to explicitly allow IPv4 connections, they can use -bind (remember #1778, which is for such cases). As this network-block is not active for RPC-stuff AFAIK, I really see no problem here.

@sipa
Bitcoin member

But the problem is that incoming onion connections come in as an IPv4 connection from 127.0.0.1. So -onlynet=tor would block incoming onion connections...

@Diapolo

Right, so the user could just add -bind=127.0.0.1 :).

This is from the commit message of #1778:
usage case: specify -bind=127.0.0.1 -onlynet="Tor" to allow incoming connections to a Tor hidden service, but still don't allow other IPv4 nodes to connect / get connected

@sipa
Bitcoin member

Yes. but this very commit will still block such connections.

@Diapolo

Then it's not well implemented by me, I just want to know if the idea from the pull is worth further work on it :D.

@sipa
Bitcoin member

In general, there is no knowing what network an incoming connections comes from (though perhaps some special cases can be made, meh).

@Diapolo

I'm not sure if that was a yes it's worth further work or a no, we (core devs) don't like the general idea.

@gmaxwell
Bitcoin member

I like the idea if it can be done without resulting in surprising misbehavior, though I'm not convinced that this is possible. :)

@Diapolo

Perhaps if I'm thinking a few minutes longer and come to the same conclusion I'll just close this, but as always I like the valuable feedback :).

@Diapolo

As this just seems to cause weird behaviour I'll close this for now ... perhaps in the future we can re-think the idea and implementation.

@Diapolo Diapolo closed this Dec 12, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment