[p2p]: feat: allow disable scan of private ips

Add a command line flag `--p2p.no-private-ip-scan` or config file option
in P2P `DisablePrivateIPScan` to stop node operators from receiving
netscan abuse emails. Fixes harmony-one#4036, harmony-one#4046 and harmony-one#3788. After this change,
node operators should not need to use `iptables` to firewall out RFC1918
traffic.

cmd/harmony/config_migrations.go

@@ -229,4 +229,13 @@ func init() {
  confTree.Set("Version", "2.5.1")
  return confTree
  }
+
+ migrations["2.5.1"] = func(confTree *toml.Tree) *toml.Tree {
+ if confTree.Get("P2P.DisablePrivateIPScan") == nil {
+ confTree.Set("P2P.DisablePrivateIPScan", defaultConfig.P2P.DisablePrivateIPScan)
+ }
+
+ confTree.Set("Version", "2.5.2")
+ return confTree
+ }
 }

cmd/harmony/default.go

@@ -5,7 +5,7 @@ import (
  nodeconfig "github.com/harmony-one/harmony/internal/configs/node"
 )
 
-const tomlConfigVersion = "2.5.1" // bump from 2.5.0 for AccountSlots
+const tomlConfigVersion = "2.5.2" // bump from 2.5.1 for DisablePrivateIPScan
 
 const (
  defNetworkType = nodeconfig.Mainnet
@@ -24,11 +24,12 @@ var defaultConfig = harmonyconfig.HarmonyConfig{
  },
  Network: getDefaultNetworkConfig(defNetworkType),
  P2P: harmonyconfig.P2pConfig{
- Port: nodeconfig.DefaultP2PPort,
- IP: nodeconfig.DefaultPublicListenIP,
- KeyFile: "./.hmykey",
- DiscConcurrency: nodeconfig.DefaultP2PConcurrency,
- MaxConnsPerIP: nodeconfig.DefaultMaxConnPerIP,
+ Port: nodeconfig.DefaultP2PPort,
+ IP: nodeconfig.DefaultPublicListenIP,
+ KeyFile: "./.hmykey",
+ DiscConcurrency: nodeconfig.DefaultP2PConcurrency,
+ MaxConnsPerIP: nodeconfig.DefaultMaxConnPerIP,
+ DisablePrivateIPScan: false,
  },
  HTTP: harmonyconfig.HttpConfig{
  Enabled: true,

cmd/harmony/flags.go

@@ -58,6 +58,7 @@ var (
  p2pDHTDataStoreFlag,
  p2pDiscoveryConcurrencyFlag,
  legacyKeyFileFlag,
+ p2pDisablePrivateIPScanFlag,
  maxConnPerIPFlag,
  }
 
@@ -539,6 +540,11 @@ var (
  Usage: "the pubsub's DHT discovery concurrency num (default with raw libp2p dht option)",
  DefValue: defaultConfig.P2P.DiscConcurrency,
  }
+ p2pDisablePrivateIPScanFlag = cli.BoolFlag{
+ Name: "p2p.no-private-ip-scan",
+ Usage: "disable scanning of private ip4/6 addresses by DHT",
+ DefValue: defaultConfig.P2P.DisablePrivateIPScan,
+ }
  maxConnPerIPFlag = cli.IntFlag{
  Name: "p2p.security.max-conn-per-ip",
  Usage: "maximum number of connections allowed per node",
@@ -575,6 +581,10 @@ func applyP2PFlags(cmd *cobra.Command, config *harmonyconfig.HarmonyConfig) {
  if cli.IsFlagChanged(cmd, maxConnPerIPFlag) {
  config.P2P.MaxConnsPerIP = cli.GetIntFlagValue(cmd, maxConnPerIPFlag)
  }
+
+ if cli.IsFlagChanged(cmd, p2pDisablePrivateIPScanFlag) {
+ config.P2P.DisablePrivateIPScan = cli.GetBoolFlagValue(cmd, p2pDisablePrivateIPScanFlag)
+ }
 }
 
 // http flags

cmd/harmony/flags_test.go

@@ -58,11 +58,12 @@ func TestHarmonyFlags(t *testing.T) {
  ServerPort: nodeconfig.DefaultDNSPort,
  },
  P2P: harmonyconfig.P2pConfig{
- Port: 9000,
- IP: defaultConfig.P2P.IP,
- KeyFile: defaultConfig.P2P.KeyFile,
- DiscConcurrency: 5,
- MaxConnsPerIP: 5,
+ Port: 9000,
+ IP: defaultConfig.P2P.IP,
+ KeyFile: defaultConfig.P2P.KeyFile,
+ DiscConcurrency: 5,
+ MaxConnsPerIP: 5,
+ DisablePrivateIPScan: false,
  },
  HTTP: harmonyconfig.HttpConfig{
  Enabled: true,
@@ -375,30 +376,44 @@ func TestP2PFlags(t *testing.T) {
  args: []string{"--p2p.port", "9001", "--p2p.keyfile", "./key.file", "--p2p.dht.datastore",
  defDataStore},
  expConfig: harmonyconfig.P2pConfig{
- Port: 9001,
- IP: nodeconfig.DefaultPublicListenIP,
- KeyFile: "./key.file",
- DHTDataStore: &defDataStore,
- MaxConnsPerIP: 10,
+ Port: 9001,
+ IP: nodeconfig.DefaultPublicListenIP,
+ KeyFile: "./key.file",
+ DHTDataStore: &defDataStore,
+ MaxConnsPerIP: 10,
+ DisablePrivateIPScan: false,
  },
  },
  {
  args: []string{"--port", "9001", "--key", "./key.file"},
  expConfig: harmonyconfig.P2pConfig{
- Port: 9001,
- IP: nodeconfig.DefaultPublicListenIP,
- KeyFile: "./key.file",
- MaxConnsPerIP: 10,
+ Port: 9001,
+ IP: nodeconfig.DefaultPublicListenIP,
+ KeyFile: "./key.file",
+ MaxConnsPerIP: 10,
+ DisablePrivateIPScan: false,
  },
  },
  {
  args: []string{"--p2p.port", "9001", "--p2p.disc.concurrency", "5", "--p2p.security.max-conn-per-ip", "5"},
  expConfig: harmonyconfig.P2pConfig{
- Port: 9001,
- IP: nodeconfig.DefaultPublicListenIP,
- KeyFile: "./.hmykey",
- DiscConcurrency: 5,
- MaxConnsPerIP: 5,
+ Port: 9001,
+ IP: nodeconfig.DefaultPublicListenIP,
+ KeyFile: "./.hmykey",
+ DiscConcurrency: 5,
+ MaxConnsPerIP: 5,
+ DisablePrivateIPScan: false,
+ },
+ },
+ {
+ args: []string{"--p2p.no-private-ip-scan"},
+ expConfig: harmonyconfig.P2pConfig{
+ Port: nodeconfig.DefaultP2PPort,
+ IP: nodeconfig.DefaultPublicListenIP,
+ KeyFile: "./.hmykey",
+ DiscConcurrency: nodeconfig.DefaultP2PConcurrency,
+ MaxConnsPerIP: nodeconfig.DefaultMaxConnPerIP,
+ DisablePrivateIPScan: true,
  },
  },
  }

internal/configs/harmony/harmony.go

@@ -46,12 +46,13 @@ type NetworkConfig struct {
 }
 
 type P2pConfig struct {
- Port int
- IP string
- KeyFile string
- DHTDataStore *string `toml:",omitempty"`
- DiscConcurrency int // Discovery Concurrency value
- MaxConnsPerIP int
+ Port int
+ IP string
+ KeyFile string
+ DHTDataStore *string `toml:",omitempty"`
+ DiscConcurrency int // Discovery Concurrency value
+ MaxConnsPerIP int
+ DisablePrivateIPScan bool
 }
 
 type GeneralConfig struct {

p2p/discovery/option.go

@@ -11,9 +11,10 @@ import (
 // DHTConfig is the configurable DHT options.
 // For normal nodes, only BootNodes field need to be specified.
 type DHTConfig struct {
- BootNodes []string
- DataStoreFile *string // File path to store DHT data. Shall be only used for bootstrap nodes.
- DiscConcurrency int
+ BootNodes []string
+ DataStoreFile *string // File path to store DHT data. Shall be only used for bootstrap nodes.
+ DiscConcurrency int
+ DisablePrivateIPScan bool
 }
 
 // getLibp2pRawOptions get the raw libp2p options as a slice.
@@ -40,6 +41,13 @@ func (opt DHTConfig) getLibp2pRawOptions() ([]libp2p_dht.Option, error) {
  opts = append(opts, libp2p_dht.Concurrency(opt.DiscConcurrency))
  }
 
+ if opt.DisablePrivateIPScan {
+ // QueryFilter sets a function that approves which peers may be dialed in a query
+ // PublicQueryFilter returns true if the peer is suspected of being publicly accessible
+ // includes RFC1918 + some other ranges + a stricter definition for IPv6
+ opts = append(opts, libp2p_dht.QueryFilter(libp2p_dht.PublicQueryFilter))
+ }
+
  return opts, nil
 }
 

p2p/host.go

@@ -80,12 +80,13 @@ const (
 
 // HostConfig is the config structure to create a new host
 type HostConfig struct {
- Self *Peer
- BLSKey libp2p_crypto.PrivKey
- BootNodes []string
- DataStoreFile *string
- DiscConcurrency int
- MaxConnPerIP int
+ Self *Peer
+ BLSKey libp2p_crypto.PrivKey
+ BootNodes []string
+ DataStoreFile *string
+ DiscConcurrency int
+ MaxConnPerIP int
+ DisablePrivateIPScan bool
 }
 
 // NewHost ..
@@ -114,9 +115,10 @@ func NewHost(cfg HostConfig) (Host, error) {
  }
 
  disc, err := discovery.NewDHTDiscovery(p2pHost, discovery.DHTConfig{
- BootNodes: cfg.BootNodes,
- DataStoreFile: cfg.DataStoreFile,
- DiscConcurrency: cfg.DiscConcurrency,
+ BootNodes: cfg.BootNodes,
+ DataStoreFile: cfg.DataStoreFile,
+ DiscConcurrency: cfg.DiscConcurrency,
+ DisablePrivateIPScan: cfg.DisablePrivateIPScan,
  })
  if err != nil {
  cancel()

rosetta/infra/harmony-mainnet.conf

@@ -1,4 +1,4 @@
-Version = "2.5.1"
+Version = "2.5.2"
 
 [BLSKeys]
  KMSConfigFile = ""
@@ -62,6 +62,7 @@ Version = "2.5.1"
  KeyFile = "./.hmykey"
  MaxConnsPerIP = 10
  Port = 9000
+ DisablePrivateIPScan = false
 
 [Pprof]
  Enabled = false

rosetta/infra/harmony-pstn.conf

@@ -1,4 +1,4 @@
-Version = "2.5.1"
+Version = "2.5.2"
 
 [BLSKeys]
  KMSConfigFile = ""
@@ -62,6 +62,7 @@ Version = "2.5.1"
  KeyFile = "./.hmykey"
  MaxConnsPerIP = 10
  Port = 9000
+ DisablePrivateIPScan = false
 
 [Pprof]
  Enabled = false