diff options
| author | Felix Lange <fjl@twurst.com> | 2016-11-23 03:51:59 +0800 |
|---|---|---|
| committer | Felix Lange <fjl@twurst.com> | 2016-11-23 05:21:18 +0800 |
| commit | a47341cf96498332e2f0f67c1a6456c67831a5d0 (patch) | |
| tree | 92e3c89aa1060e210cc288a68dddaa24be161181 /p2p/server.go | |
| parent | e46bda50935cfad5bfc51130e4ea802f518917e7 (diff) | |
| download | dexon-a47341cf96498332e2f0f67c1a6456c67831a5d0.tar.gz dexon-a47341cf96498332e2f0f67c1a6456c67831a5d0.tar.zst dexon-a47341cf96498332e2f0f67c1a6456c67831a5d0.zip | |
p2p, p2p/discover, p2p/discv5: add IP network restriction feature
The p2p packages can now be configured to restrict all communication to
a certain subset of IP networks. This feature is meant to be used for
private networks.
Diffstat (limited to 'p2p/server.go')
| -rw-r--r-- | p2p/server.go | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/p2p/server.go b/p2p/server.go index 7381127dc..cf9672e2d 100644 --- a/p2p/server.go +++ b/p2p/server.go @@ -30,6 +30,7 @@ import ( "github.com/ethereum/go-ethereum/p2p/discover" "github.com/ethereum/go-ethereum/p2p/discv5" "github.com/ethereum/go-ethereum/p2p/nat" + "github.com/ethereum/go-ethereum/p2p/netutil" ) const ( @@ -101,6 +102,11 @@ type Config struct { // allowed to connect, even above the peer limit. TrustedNodes []*discover.Node + // Connectivity can be restricted to certain IP networks. + // If this option is set to a non-nil value, only hosts which match one of the + // IP networks contained in the list are considered. + NetRestrict *netutil.Netlist + // NodeDatabase is the path to the database containing the previously seen // live nodes in the network. NodeDatabase string @@ -356,7 +362,7 @@ func (srv *Server) Start() (err error) { // node table if srv.Discovery { - ntab, err := discover.ListenUDP(srv.PrivateKey, srv.ListenAddr, srv.NAT, srv.NodeDatabase) + ntab, err := discover.ListenUDP(srv.PrivateKey, srv.ListenAddr, srv.NAT, srv.NodeDatabase, srv.NetRestrict) if err != nil { return err } @@ -367,7 +373,7 @@ func (srv *Server) Start() (err error) { } if srv.DiscoveryV5 { - ntab, err := discv5.ListenUDP(srv.PrivateKey, srv.DiscoveryV5Addr, srv.NAT, "") //srv.NodeDatabase) + ntab, err := discv5.ListenUDP(srv.PrivateKey, srv.DiscoveryV5Addr, srv.NAT, "", srv.NetRestrict) //srv.NodeDatabase) if err != nil { return err } @@ -381,7 +387,7 @@ func (srv *Server) Start() (err error) { if !srv.Discovery { dynPeers = 0 } - dialer := newDialState(srv.StaticNodes, srv.ntab, dynPeers) + dialer := newDialState(srv.StaticNodes, srv.ntab, dynPeers, srv.NetRestrict) // handshake srv.ourHandshake = &protoHandshake{Version: baseProtocolVersion, Name: srv.Name, ID: discover.PubkeyID(&srv.PrivateKey.PublicKey)} @@ -634,8 +640,19 @@ func (srv *Server) listenLoop() { } break } + + // Reject connections that do not match NetRestrict. + if srv.NetRestrict != nil { + if tcp, ok := fd.RemoteAddr().(*net.TCPAddr); ok && !srv.NetRestrict.Contains(tcp.IP) { + glog.V(logger.Debug).Infof("Rejected conn %v because it is not whitelisted in NetRestrict", fd.RemoteAddr()) + fd.Close() + slots <- struct{}{} + continue + } + } + fd = newMeteredConn(fd, true) - glog.V(logger.Debug).Infof("Accepted conn %v\n", fd.RemoteAddr()) + glog.V(logger.Debug).Infof("Accepted conn %v", fd.RemoteAddr()) // Spawn the handler. It will give the slot back when the connection // has been established. |