feat(swarm)!: Allow NetworkBehaviours to manage incoming connections

[thomaseizinger]

Description

Previously, ConnectionHandler employed the prototype pattern via the IntoConnectionHandler abstraction. This allowed the Swarm to construct an instance of IntoConnectionHandler before the connection was established. This abstraction is however unnecessary. We can model all existing usecases by delaying the call to NetworkBehavour::new_handler until the connection is established. Not only does this delete a lot of code, it also makes several APIs simpler:

• NetworkBehaviours can track state for future connections within themselves (indexed by PeerId) and pass it into the ConnectionHandler upon construction. This removes the need for passing along a handler in NetworkBehaviourAction::Dial.
• Removing Handler from NetworkBehaviourAction::Dial also avoids the need to pass the handler back into the behaviour in inject_dial_failure.
• By making NetworkBehaviour::new_handler fallible, NetworkBehaviours can implement almost arbitrary connection management policies by denying the construction of a ConnectionHandler for a newly established connection.

Resolves #2824.

Links to any relevant issues

Open Questions

Change checklist

• I have performed a self-review of my own code
• I have made corresponding changes to the documentation
• I have added tests that prove my fix is effective or that my feature works
• A changelog entry has been made in the appropriate crates

[rkuhn]

The answer also depends on what inject_dial_failure shall mean, and to whom. Currently it is called upon any failure for all composed behaviours, but that won’t work anymore if every behaviour then expects its own payload — the dial was caused by one behaviour, with only one specific payload. So the composed behaviour needs to dispatch the failure to only exactly that sub-behaviour which requested the dial. While this makes some amount of sense, it is also weird, because dial failures are not specific to a particular sub-behaviour, their scope is the target peer.

[rkuhn]

BTW: Swarm::dial could also be kept in this case, and it could carry its own payload that is returned to the swarm poller upon dial failure — and none of the composed behaviours are informed in this case.

[thomaseizinger]

The answer also depends on what inject_dial_failure shall mean, and to whom. Currently it is called upon any failure for all composed behaviours, but that won’t work anymore if every behaviour then expects its own payload — the dial was caused by one behaviour, with only one specific payload. So the composed behaviour needs to dispatch the failure to only exactly that sub-behaviour which requested the dial. While this makes some amount of sense, it is also weird, because dial failures are not specific to a particular sub-behaviour, their scope is the target peer.

That is right! This is more tricky than I thought. If I wanted to inject a DialPayload on every on_new_outbound call, I'd have to make that one up for all other behaviours that are composed because I need a handler for every behaviour.

[rkuhn]

My primary worry right now is not the structure of IntoConnectionHandler, so I don’t have good inputs there, but the proposed DialSource enum sounds very useful to me!

[thomaseizinger]

I just had another idea which I think is much better:

The reason for passing a handler along with Dial was to enable users to directly inject a message into the new connection.

Previously, that required really complex tracking of state in the behaviour because of the IntoConnectionHandler abstraction and the delayed access to PeerId.

If we remove this abstraction, it is really easy for NetworkBehaviours to track initial state for a new connection: Just make a HashMap indexed by PeerId and pick out the data whenever new_outbound_handler gets called!

That is functionally equivalent to what we have today and makes several APIs a lot simpler.

[thomaseizinger]

This turns out to be difficult.

@mxinden I remember you saying that PollParameters was always something that didn't appeal to you. Did you ever think about alternative design? This might be a good time to bring them up :)

[thomaseizinger]

I am now initialising these to an empty vector and they are updated every time a new connection is made.

[mxinden]

@mxinden I remember you saying that PollParameters was always something that didn't appeal to you.

Yes, very much. I would like to not have PollParameters.

I am now initialising these to an empty vector and they are updated every time a new connection is made.

In my eyes that is the better behavior.

[thomaseizinger]

@mxinden I remember you saying that PollParameters was always something that didn't appeal to you.

Yes, very much. I would like to not have PollParameters.

Tracking this here: #3124

[thomaseizinger]

Should we replace this example? Now that new_handler gives you a PeerId, I think it is quite easy to realize that you can store data for a future connection in the behaviour and just pass it into the handler here.

[mxinden]

• NetworkBehaviours can track state for future connections within themselves (indexed by PeerId) and pass it into the ConnectionHandler upon construction. This removes the need for passing along a handler in NetworkBehaviourAction::Dial.

Say there are two NetworkBehaviour implementations, each requesting a new connection to a new peer. In such case, when NetworkBehaviour::inject_connection_established is called, neither of them knows whether this new connection corresponds to their dial request.

We could still allow the user to provide user data via DialOpts. For the case of Swarm::dial and NetworkBehaviour::inject_dial_failure we could wrap this in an Option.

I am not sure whether we need to design for the above race condition. Your proposal might be just fine. What do folks think?

[rkuhn]

In ipfs-embed I validate advertised peer addresses by dialling them — and closing such connections upon success. This is only reliably possible if I can detect whether the connection resulted from my own dialling attempt. OTOH, another cause may have resulted in dialling that same peer with that same address for other reasons, which would then possibly have said “nah, attempt is already underway”. But all of this would happen in addition to existing connections, so it might not be a huge problem.

[thomaseizinger]

Do you need to actively close them? Assuming reasonable keep_alive implementations of your ConnectionHandlers, the connection should get closed automatically if it is not in use.

OTOH, another cause may have resulted in dialling that same peer with that same address for other reasons, which would then possibly have said “nah, attempt is already underway”.

Can this be expressed with PeerCondition::NotDialing?

Note that new_handler also gives you access to ConnectedPoint. So in addition to storing data in your behaviour based on PeerId, you could also index it by the dialed address. new_handler being called for an address you wanted to validate IS the validation that a connection was made to this address. If you have a dedicated AddressValidationBehaviour, that behaviour could then straight up deny that connection which instantly closes it again.

[thomaseizinger]

TODO:

• Always box denied reason to avoid generating an enum
• Figure out how to manage pending connections

[thomaseizinger]

Here is a proposal regarding pending connection management:

• Remove addresses_of_peer function
• Add:

  • fn new_outgoing_connection(Option<PeerId>, &[Multiaddr]) -> Result<Vec<Multiaddr>, Box<dyn std::error::Error + Send + 'static>>

  • fn new_incoming_connection(local_addr: Multiaddr, send_back_addr: Multiaddr) -> Result<(), Box<dyn std::error::Error + Send + 'static>>

The new_outgoing_connection replaces the addresses_of_peer function. It is given the PeerId - if known - and the addresses we already have that we will try to dial. It can decline the dial by returning an error or provide even more addresses to use.

The new_incoming_connection is given the local and remote's address. It doesn't return anything usually as there is no information needed to upgrade a connection.

I am reasonably happy with this design. We are only extending the NetworkBehaviour by one function, all three new_ functions follow a similar naming pattern and function signature.

Thoughts @mxinden?

[mergify]

This pull request has merge conflicts. Could you please resolve them @thomaseizinger? 🙏

[elenaf9]

Very much in favor of this! Did not do a full review yet.

[elenaf9]

Out of scope for this PR, but I do wonder if we really need the handler field on ConnectionClosed.
The handler property was added in #2191 together with adding it to Dial, DialFailure and ListenFailure. If I understand it correctly, the main motivation behind it was:

it allows one to attach state to a dial request, thus not having to keep track of it within a NetworkBehaviour implementation

Per #3099 (comment) attaching a state to a dial is not needed anymore. What's the use-case of still returning the handler in ConnectionClosed? As far as I can tell, none of our behaviours ever use it.

Motivation behind the question is that it would be great if we could get rid of the duplication between SwarmEvent and FromSwarm.
Until now the main difference was that FromSwarm also contains the handler, which should not be exposed in the SwarmEvent¹: #2423 (comment). If we could remove it here, we might be able to do something like:

enum SwarmEvent<TBehaviourOutEvent> {
    Behaviour(TBehaviourOutEvent),
    FromSwarm(FromSwarmEvent)
}

Footnotes

1. There are also some other differences; FromSwarm contains ConnectionIds, and the NewExternalAddr and ExpiredExternalAddr variants. But I don't see see a drawback in exposing them to the user. ↩

[thomaseizinger]

Related: #3046

[thomaseizinger]

Any ideas on how to make this less breaking would be gladly appreciated! :)

[thomaseizinger]

Here is a proposal regarding pending connection management:

• Remove addresses_of_peer function
• Add:

  • fn new_outgoing_connection(Option<PeerId>, &[Multiaddr]) -> Result<Vec<Multiaddr>, Box<dyn std::error::Error + Send + 'static>>

  • fn new_incoming_connection(local_addr: Multiaddr, send_back_addr: Multiaddr) -> Result<(), Box<dyn std::error::Error + Send + 'static>>

The new_outgoing_connection replaces the addresses_of_peer function. It is given the PeerId - if known - and the addresses we already have that we will try to dial. It can decline the dial by returning an error or provide even more addresses to use.

The new_incoming_connection is given the local and remote's address. It doesn't return anything usually as there is no information needed to upgrade a connection.

I am reasonably happy with this design. We are only extending the NetworkBehaviour by one function, all three new_ functions follow a similar naming pattern and function signature.

Thoughts @mxinden?

One slight variation on this: new_handler could now be called new_established_connection to be more consistent with the two others. We could also split it into new_established_inbound_connection and new_established_outbound_connection. It is a bit odd at the moment that for pending connections, the function is split by inbound and outbound but for the established one it is not.

[thomaseizinger]

I think we can limit the breaking changes of this PR to removing the handler from Dial. Everything else should be possible to do in a non-breaking way.

[mxinden]

What do you think of a small before and after code snippet to help folks upgrade?

[mxinden]

Suggested change

	peer: &PeerId,
	peer: PeerId,

Why provide a reference to a Copy type?

[mxinden]

One slight variation on this: new_handler could now be called new_established_connection to be more consistent with the two others.

Sounds good to me.

We could also split it into new_established_inbound_connection and new_established_outbound_connection. It is a bit odd at the moment that for pending connections, the function is split by inbound and outbound but for the established one it is not.

Do I understand correctly that both methods would have the same signature and that we don't foresee the two signatures to diverge any time soon? If so, I suggest not splitting it. While nice for the sake of consistency, I don't think it justifies the additional complexity.

[mxinden]

Suggested change

	initial_events: HashMap<PeerId, handler::In>,
	/// [`handler::In`] event to be provided to a handler in `NetworkBehaviour::new_handler` once the corresponding connection is established.
	initial_events: HashMap<PeerId, handler::In>,

What do you think?

[mxinden]

Injecting events through two ways, i.e. (1) at creation and (2) regularly during the lifetime of the handler via Swarm, seems inconsistent to me. That said, I can not think of a better way. I suggest keeping as is.

[thomaseizinger]

We could hold the event back here and instead listen for the ConnectionEstablished event and then emit an event later?

[mxinden]

How do we know that there is no second direct connection in progress of establishment to the given peer? How do we know that this event was predetermined for this connection and not another connection still being established?

This is rather complex. I rewrote this comment 4 times. I might be missing something.

[thomaseizinger]

We can index the HashMap by the dialed address instead of the peer ID. That should fix things I guess?

[mxinden]

Note that some NetworkBehaviour might add a relayed address here.

The relay protocol should never be spoken on top of a relayed connection. We should never do nested relaying as otherwise one could build circular relayed connections that could be misused for a DOS attack. Thus returning a dummy::ConnectionHandler on relayed connections is critical.

That said, we might be establishing both a relayed and a direct connection to a given peer in parallel. How do we know which one the initial_events event was destined for?

Not sure how to prevent this. The solution you do above, namely to drop the initial_events event in case it turns out to be a relayed connection covers the case where there is only a single connection attempt in progress. What about the case where both (relayed and direct) are in progress?

[thomaseizinger]

I only 1-to-1 ported the code that already existed, as far as I know, no functionality should currently change in this PR.

[thomaseizinger]

We could also split it into new_established_inbound_connection and new_established_outbound_connection. It is a bit odd at the moment that for pending connections, the function is split by inbound and outbound but for the established one it is not.

Do I understand correctly that both methods would have the same signature and that we don't foresee the two signatures to diverge any time soon? If so, I suggest not splitting it. While nice for the sake of consistency, I don't think it justifies the additional complexity.

If split, I would inline the variants of the ConnectedPoint enum:

rust-libp2p/core/src/connection.rs

Line 116 in f8f19ba

pub enum ConnectedPoint {

So no, the signatures would not be the same.

[divagant-martian]

Sorry for the delay. As far as lighthouse is concerned, this would work really well in particular having the ConnectedPoint, since most of the time we decide based on percentage of inbound and outbound connections. Regarding the possibly generic error, I see why it would be a nice to have, but at least in our case that can be directly handled when creating the handler and wouldn't really need the error reported by the swarm.

Also of course, thanks for all these efforts!

[thomaseizinger]

@mxinden: Instead of a new DialId or DialToken, we could also create the ConnectionId as part of the dial attempt. The Pool would later allocate one anyway so we could actually directly use that instead. This gives us one identifier for the entire connection from the moment a dial is issued up until the connection gets closed.

[thomaseizinger]

@mxinden: Instead of a new DialId or DialToken, we could also create the ConnectionId as part of the dial attempt. The Pool would later allocate one anyway so we could actually directly use that instead. This gives us one identifier for the entire connection from the moment a dial is issued up until the connection gets closed.

I think with that idea, we might be able to ship the removal of Dial::Handler as a separate patch. That would be nice.

[thomaseizinger]

@mxinden: Instead of a new DialId or DialToken, we could also create the ConnectionId as part of the dial attempt. The Pool would later allocate one anyway so we could actually directly use that instead. This gives us one identifier for the entire connection from the moment a dial is issued up until the connection gets closed.

I think with that idea, we might be able to ship the removal of Dial::Handler as a separate patch. That would be nice.

Turns out we can't but overall the version in #3254 is a lot less breaking which is nice :)