Add Ability to Restrict Outbound Dials (#5794)

* blacklist cidr * add test * Merge refs/heads/master into p2pBlacklist
prysmaticlabs · May 9, 2020 · aeb6dc1 · aeb6dc1
1 parent c82f2d5
commit aeb6dc1
Show file tree

Hide file tree

Showing 7 changed files with 93 additions and 0 deletions.
diff --git a/beacon-chain/main.go b/beacon-chain/main.go
@@ -64,6 +64,7 @@ var appFlags = []cli.Flag{
 	cmd.P2PPrivKey,
 	cmd.P2PMetadata,
 	cmd.P2PWhitelist,
+	cmd.P2PBlacklist,
 	cmd.P2PEncoding,
 	cmd.P2PPubsub,
 	cmd.DataDirFlag,

diff --git a/beacon-chain/node/node.go b/beacon-chain/node/node.go
@@ -320,6 +320,7 @@ func (b *BeaconNode) registerP2P(cliCtx *cli.Context) error {
 		UDPPort:           cliCtx.Uint(cmd.P2PUDPPort.Name),
 		MaxPeers:          cliCtx.Uint(cmd.P2PMaxPeers.Name),
 		WhitelistCIDR:     cliCtx.String(cmd.P2PWhitelist.Name),
+		BlacklistCIDR:     sliceutil.SplitCommaSeparated(cliCtx.StringSlice(cmd.P2PBlacklist.Name)),
 		EnableUPnP:        cliCtx.Bool(cmd.EnableUPnPFlag.Name),
 		DisableDiscv5:     cliCtx.Bool(flags.DisableDiscv5.Name),
 		Encoding:          cliCtx.String(cmd.P2PEncoding.Name),

diff --git a/beacon-chain/p2p/config.go b/beacon-chain/p2p/config.go
@@ -25,6 +25,7 @@ type Config struct {
 	UDPPort               uint
 	MaxPeers              uint
 	WhitelistCIDR         string
+	BlacklistCIDR         []string
 	Encoding              string
 	StateNotifier         statefeed.Notifier
 	PubSub                string

diff --git a/beacon-chain/p2p/options.go b/beacon-chain/p2p/options.go
@@ -26,6 +26,7 @@ func buildOptions(cfg *Config, ip net.IP, priKey *ecdsa.PrivateKey) []libp2p.Opt
 		libp2p.EnableRelay(),
 		libp2p.ListenAddrs(listen),
 		whitelistSubnet(cfg.WhitelistCIDR),
+		blacklistSubnets(cfg.BlacklistCIDR),
 		// Add one for the boot node and another for the relay, otherwise when we are close to maxPeers we will be above the high
 		// water mark and continually trigger pruning.
 		libp2p.ConnectionManager(connmgr.NewConnManager(int(cfg.MaxPeers+2), int(cfg.MaxPeers+2), 1*time.Second)),
@@ -121,3 +122,28 @@ func whitelistSubnet(cidr string) libp2p.Option {
 		return nil
 	}
 }
+
+// blacklistSubnet adds a blacklist multiaddress filter for multiple given CIDR subnets.
+// Example: 192.168.0.0/16 may be used to deny connections from your local
+// network.
+func blacklistSubnets(mulCidrs []string) libp2p.Option {
+	if len(mulCidrs) == 0 {
+		return func(_ *libp2p.Config) error {
+			return nil
+		}
+	}
+	return func(cfg *libp2p.Config) error {
+		if cfg.Filters == nil {
+			cfg.Filters = filter.NewFilters()
+		}
+
+		for _, cidr := range mulCidrs {
+			_, ipnet, err := net.ParseCIDR(cidr)
+			if err != nil {
+				return err
+			}
+			cfg.Filters.AddFilter(*ipnet, filter.ActionDeny)
+		}
+		return nil
+	}
+}
diff --git a/beacon-chain/p2p/options_test.go b/beacon-chain/p2p/options_test.go
@@ -2,13 +2,18 @@ package p2p
 
 import (
 	"bytes"
+	"context"
 	"crypto/rand"
 	"encoding/hex"
+	"fmt"
 	"io/ioutil"
 	"os"
 	"testing"
 
+	"github.com/libp2p/go-libp2p"
 	"github.com/libp2p/go-libp2p-core/crypto"
+	"github.com/libp2p/go-libp2p-core/peer"
+	"github.com/multiformats/go-multiaddr"
 	"github.com/prysmaticlabs/prysm/shared/testutil"
 )
 
@@ -58,3 +63,54 @@ func TestPrivateKeyLoading(t *testing.T) {
 		t.Errorf("Private keys do not match got %#x but wanted %#x", rawBytes, newRaw)
 	}
 }
+
+func TestPeerBlacklist(t *testing.T) {
+	// create host with blacklist
+	ipAddr, pkey := createAddrAndPrivKey(t)
+	ipAddr2, pkey2 := createAddrAndPrivKey(t)
+
+	mask := ipAddr2.DefaultMask()
+	ones, _ := mask.Size()
+	maskedIP := ipAddr2.Mask(mask)
+	cidr := maskedIP.String() + fmt.Sprintf("/%d", ones)
+
+	listen, err := multiaddr.NewMultiaddr(fmt.Sprintf("/ip4/%s/tcp/%d", ipAddr, 2000))
+	if err != nil {
+		t.Fatalf("Failed to p2p listen: %v", err)
+	}
+	h1, err := libp2p.New(context.Background(), []libp2p.Option{privKeyOption(pkey), libp2p.ListenAddrs(listen), blacklistSubnets([]string{cidr})}...)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err := h1.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// create alternate host
+	listen, err = multiaddr.NewMultiaddr(fmt.Sprintf("/ip4/%s/tcp/%d", ipAddr2, 3000))
+	if err != nil {
+		t.Fatalf("Failed to p2p listen: %v", err)
+	}
+	h2, err := libp2p.New(context.Background(), []libp2p.Option{privKeyOption(pkey2), libp2p.ListenAddrs(listen)}...)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err := h2.Close()
+		if err != nil {
+			t.Fatal(err)
+		}
+	}()
+	multiAddress, err := multiaddr.NewMultiaddr(fmt.Sprintf("/ip4/%s/tcp/%d/p2p/%s", ipAddr2, 3000, h2.ID()))
+	addrInfo, err := peer.AddrInfoFromP2pAddr(multiAddress)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = h1.Connect(context.Background(), *addrInfo)
+	if err == nil {
+		t.Error("Wanted connection to fail with blacklist")
+	}
+}
diff --git a/beacon-chain/usage.go b/beacon-chain/usage.go
@@ -109,6 +109,7 @@ var appHelpFlagGroups = []flagGroup{
 			cmd.P2PPrivKey,
 			cmd.P2PMetadata,
 			cmd.P2PWhitelist,
+			cmd.P2PBlacklist,
 			cmd.StaticPeers,
 			cmd.EnableUPnPFlag,
 			cmd.P2PEncoding,

diff --git a/shared/cmd/flags.go b/shared/cmd/flags.go
@@ -125,6 +125,13 @@ var (
 			"would whitelist connections to peers on your local network only. The default " +
 			"is to accept all connections.",
 	}
+	// P2PBlacklist defines a list of CIDR subnets to disallow connections from them.
+	P2PBlacklist = &cli.StringSliceFlag{
+		Name: "p2p-blacklist",
+		Usage: "The CIDR subnets for blacklisting peer connections. Example: 192.168.0.0/16 " +
+			"would blacklist connections from peers on your local network only. The default " +
+			"is to accept all connections.",
+	}
 	// P2PEncoding defines the encoding format for p2p messages.
 	P2PEncoding = &cli.StringFlag{
 		Name:  "p2p-encoding",