[p2p]: feat: allow disable scan of private ips (#4151)

* [p2p]: feat: allow disable scan of private ips Add a command line flag `--p2p.no-private-ip-scan` or config file option in P2P `DisablePrivateIPScan` to stop node operators from receiving netscan abuse emails. Fixes #4036, #4046 and #3788. After this change, node operators should not need to use `iptables` to firewall out RFC1918 traffic. * [p2p] fix: Cascade disallow private scan
3 years ago · 947c6ef11c
parent 8bb885e85b
commit 947c6ef11c
10 changed files with 100 additions and 51 deletions
--- a/cmd/harmony/config_migrations.go
+++ b/cmd/harmony/config_migrations.go
@ -229,4 +229,13 @@ func init() {
 		confTree.Set("Version", "2.5.1")
 		return confTree
 	}
+
+	migrations["2.5.1"] = func(confTree *toml.Tree) *toml.Tree {
+		if confTree.Get("P2P.DisablePrivateIPScan") == nil {
+			confTree.Set("P2P.DisablePrivateIPScan", defaultConfig.P2P.DisablePrivateIPScan)
+		}
+
+		confTree.Set("Version", "2.5.2")
+		return confTree
+	}
 }
--- a/cmd/harmony/default.go
+++ b/cmd/harmony/default.go
@ -5,7 +5,7 @@ import (
 	nodeconfig "github.com/harmony-one/harmony/internal/configs/node"
 )

-const tomlConfigVersion = "2.5.1" // bump from 2.5.0 for AccountSlots
+const tomlConfigVersion = "2.5.2" // bump from 2.5.1 for DisablePrivateIPScan

 const (
 	defNetworkType = nodeconfig.Mainnet
@ -30,6 +30,7 @@ var defaultConfig = harmonyconfig.HarmonyConfig{
 		KeyFile:              "./.hmykey",
 		DiscConcurrency:      nodeconfig.DefaultP2PConcurrency,
 		MaxConnsPerIP:        nodeconfig.DefaultMaxConnPerIP,
+		DisablePrivateIPScan: false,
 	},
 	HTTP: harmonyconfig.HttpConfig{
 		Enabled:        true,
--- a/cmd/harmony/flags.go
+++ b/cmd/harmony/flags.go
@ -60,6 +60,7 @@ var (
 		p2pDHTDataStoreFlag,
 		p2pDiscoveryConcurrencyFlag,
 		legacyKeyFileFlag,
+		p2pDisablePrivateIPScanFlag,
 		maxConnPerIPFlag,
 	}

@ -551,6 +552,11 @@ var (
 		Usage:    "the pubsub's DHT discovery concurrency num (default with raw libp2p dht option)",
 		DefValue: defaultConfig.P2P.DiscConcurrency,
 	}
+	p2pDisablePrivateIPScanFlag = cli.BoolFlag{
+		Name:     "p2p.no-private-ip-scan",
+		Usage:    "disable scanning of private ip4/6 addresses by DHT",
+		DefValue: defaultConfig.P2P.DisablePrivateIPScan,
+	}
 	maxConnPerIPFlag = cli.IntFlag{
 		Name:     "p2p.security.max-conn-per-ip",
 		Usage:    "maximum number of connections allowed per node",
@ -587,6 +593,10 @@ func applyP2PFlags(cmd *cobra.Command, config *harmonyconfig.HarmonyConfig) {
 	if cli.IsFlagChanged(cmd, maxConnPerIPFlag) {
 		config.P2P.MaxConnsPerIP = cli.GetIntFlagValue(cmd, maxConnPerIPFlag)
 	}
+
+	if cli.IsFlagChanged(cmd, p2pDisablePrivateIPScanFlag) {
+		config.P2P.DisablePrivateIPScan = cli.GetBoolFlagValue(cmd, p2pDisablePrivateIPScanFlag)
+	}
 }

 // http flags
--- a/cmd/harmony/flags_test.go
+++ b/cmd/harmony/flags_test.go
@ -63,6 +63,7 @@ func TestHarmonyFlags(t *testing.T) {
 					KeyFile:              defaultConfig.P2P.KeyFile,
 					DiscConcurrency:      5,
 					MaxConnsPerIP:        5,
+					DisablePrivateIPScan: false,
 				},
 				HTTP: harmonyconfig.HttpConfig{
 					Enabled:        true,
@ -380,6 +381,7 @@ func TestP2PFlags(t *testing.T) {
 				KeyFile:              "./key.file",
 				DHTDataStore:         &defDataStore,
 				MaxConnsPerIP:        10,
+				DisablePrivateIPScan: false,
 			},
 		},
 		{
@ -389,6 +391,7 @@ func TestP2PFlags(t *testing.T) {
 				IP:                   nodeconfig.DefaultPublicListenIP,
 				KeyFile:              "./key.file",
 				MaxConnsPerIP:        10,
+				DisablePrivateIPScan: false,
 			},
 		},
 		{
@ -399,6 +402,18 @@ func TestP2PFlags(t *testing.T) {
 				KeyFile:              "./.hmykey",
 				DiscConcurrency:      5,
 				MaxConnsPerIP:        5,
+				DisablePrivateIPScan: false,
+			},
+		},
+		{
+			args: []string{"--p2p.no-private-ip-scan"},
+			expConfig: harmonyconfig.P2pConfig{
+				Port:                 nodeconfig.DefaultP2PPort,
+				IP:                   nodeconfig.DefaultPublicListenIP,
+				KeyFile:              "./.hmykey",
+				DiscConcurrency:      nodeconfig.DefaultP2PConcurrency,
+				MaxConnsPerIP:        nodeconfig.DefaultMaxConnPerIP,
+				DisablePrivateIPScan: true,
 			},
 		},
 	}
--- a/cmd/harmony/main.go
+++ b/cmd/harmony/main.go
@ -600,6 +600,7 @@ func createGlobalConfig(hc harmonyconfig.HarmonyConfig) (*nodeconfig.ConfigType,
 		DataStoreFile:        hc.P2P.DHTDataStore,
 		DiscConcurrency:      hc.P2P.DiscConcurrency,
 		MaxConnPerIP:         hc.P2P.MaxConnsPerIP,
+		DisablePrivateIPScan: hc.P2P.DisablePrivateIPScan,
 	})
 	if err != nil {
 		return nil, errors.Wrap(err, "cannot create P2P network host")
--- a/internal/configs/harmony/harmony.go
+++ b/internal/configs/harmony/harmony.go
@ -52,6 +52,7 @@ type P2pConfig struct {
 	DHTDataStore         *string `toml:",omitempty"`
 	DiscConcurrency      int     // Discovery Concurrency value
 	MaxConnsPerIP        int
+	DisablePrivateIPScan bool
 }

 type GeneralConfig struct {
--- a/p2p/discovery/option.go
+++ b/p2p/discovery/option.go
@ -14,6 +14,7 @@ type DHTConfig struct {
 	BootNodes            []string
 	DataStoreFile        *string // File path to store DHT data. Shall be only used for bootstrap nodes.
 	DiscConcurrency      int
+	DisablePrivateIPScan bool
 }

 // getLibp2pRawOptions get the raw libp2p options as a slice.
@ -40,6 +41,13 @@ func (opt DHTConfig) getLibp2pRawOptions() ([]libp2p_dht.Option, error) {
 		opts = append(opts, libp2p_dht.Concurrency(opt.DiscConcurrency))
 	}

+	if opt.DisablePrivateIPScan {
+		// QueryFilter sets a function that approves which peers may be dialed in a query
+		// PublicQueryFilter returns true if the peer is suspected of being publicly accessible
+		// includes RFC1918 + some other ranges + a stricter definition for IPv6
+		opts = append(opts, libp2p_dht.QueryFilter(libp2p_dht.PublicQueryFilter))
+	}
+
 	return opts, nil
 }

--- a/p2p/host.go
+++ b/p2p/host.go
@ -86,6 +86,7 @@ type HostConfig struct {
 	DataStoreFile        *string
 	DiscConcurrency      int
 	MaxConnPerIP         int
+	DisablePrivateIPScan bool
 }

 // NewHost ..
@ -117,6 +118,7 @@ func NewHost(cfg HostConfig) (Host, error) {
 		BootNodes:            cfg.BootNodes,
 		DataStoreFile:        cfg.DataStoreFile,
 		DiscConcurrency:      cfg.DiscConcurrency,
+		DisablePrivateIPScan: cfg.DisablePrivateIPScan,
 	})
 	if err != nil {
 		cancel()
--- a/rosetta/infra/harmony-mainnet.conf
+++ b/rosetta/infra/harmony-mainnet.conf
@ -1,4 +1,4 @@
-Version = "2.5.1"
+Version = "2.5.2"

 [BLSKeys]
  KMSConfigFile = ""
@ -62,6 +62,7 @@ Version = "2.5.1"
  KeyFile = "./.hmykey"
  MaxConnsPerIP = 10
  Port = 9000
+  DisablePrivateIPScan = false

 [Pprof]
  Enabled = false
--- a/rosetta/infra/harmony-pstn.conf
+++ b/rosetta/infra/harmony-pstn.conf
@ -1,4 +1,4 @@
-Version = "2.5.1"
+Version = "2.5.2"

 [BLSKeys]
  KMSConfigFile = ""
@ -62,6 +62,7 @@ Version = "2.5.1"
  KeyFile = "./.hmykey"
  MaxConnsPerIP = 10
  Port = 9000
+  DisablePrivateIPScan = false

 [Pprof]
  Enabled = false