Skip to content

Commit 88f26b4

Browse files
chengzhineioker
chengzhinei
and
oker
authored
add consensus ip whitelist (#3311)
* add consensus ip whitelist * hanle fastsync and evidence * add enableConsensusIPWhitelist * consensus to p2p * let status rsp addr empty --------- Co-authored-by: oker <[email protected]>
1 parent 09bd020 commit 88f26b4

File tree

6 files changed

+74
-3
lines changed

6 files changed

+74
-3
lines changed

app/config/config.go

+36
Original file line numberDiff line numberDiff line change
@@ -137,6 +137,9 @@ type OecConfig struct {
137137
maxSubscriptionClients int
138138

139139
maxTxLimitPerPeer uint64
140+
141+
enableP2PIPWhitelist bool
142+
consensusIPWhitelist map[string]bool
140143
}
141144

142145
const (
@@ -168,6 +171,8 @@ const (
168171
FlagDynamicGpMaxTxNum = "dynamic-gp-max-tx-num"
169172
FlagEnableWrappedTx = "enable-wtx"
170173
FlagSentryAddrs = "p2p.sentry_addrs"
174+
FlagEnableP2PIPWhitelist = "p2p.enable_ip_whitelist"
175+
FlagConsensusIPWhitelist = "p2p.consensus_ip_whitelist"
171176
FlagCsTimeoutPropose = "consensus.timeout_propose"
172177
FlagCsTimeoutProposeDelta = "consensus.timeout_propose_delta"
173178
FlagCsTimeoutPrevote = "consensus.timeout_prevote"
@@ -280,6 +285,7 @@ func defaultOecConfig() *OecConfig {
280285
mempoolForceRecheckGap: 2000,
281286
commitGapHeight: iavlconfig.DefaultCommitGapHeight,
282287
iavlFSCacheSize: tmiavl.DefaultIavlFastStorageCacheSize,
288+
consensusIPWhitelist: map[string]bool{},
283289
}
284290
}
285291

@@ -331,6 +337,8 @@ func (c *OecConfig) loadFromConfig() {
331337
c.SetCommitGapHeight(viper.GetInt64(server.FlagCommitGapHeight))
332338
c.SetSentryAddrs(viper.GetString(FlagSentryAddrs))
333339
c.SetNodeKeyWhitelist(viper.GetString(FlagNodeKeyWhitelist))
340+
c.SetEnableP2PIPWhitelist(viper.GetBool(FlagEnableP2PIPWhitelist))
341+
c.SetConsensusIPWhitelist(viper.GetString(FlagConsensusIPWhitelist))
334342
c.SetEnableWtx(viper.GetBool(FlagEnableWrappedTx))
335343
c.SetEnableAnalyzer(viper.GetBool(trace.FlagEnableAnalyzer))
336344
c.SetDeliverTxsExecuteMode(viper.GetInt(state.FlagDeliverTxsExecMode))
@@ -511,6 +519,14 @@ func (c *OecConfig) updateFromKVStr(k, v string) {
511519
c.SetPendingPoolBlacklist(v)
512520
case FlagNodeKeyWhitelist:
513521
c.SetNodeKeyWhitelist(v)
522+
case FlagEnableP2PIPWhitelist:
523+
r, err := strconv.ParseBool(v)
524+
if err != nil {
525+
return
526+
}
527+
c.SetEnableP2PIPWhitelist(r)
528+
case FlagConsensusIPWhitelist:
529+
c.SetConsensusIPWhitelist(v)
514530
case FlagMempoolCheckTxCost:
515531
r, err := strconv.ParseBool(v)
516532
if err != nil {
@@ -810,6 +826,14 @@ func (c *OecConfig) GetNodeKeyWhitelist() []string {
810826
return c.nodeKeyWhitelist
811827
}
812828

829+
func (c *OecConfig) GetEnableP2PIPWhitelist() bool {
830+
return c.enableP2PIPWhitelist
831+
}
832+
833+
func (c *OecConfig) GetConsensusIPWhitelist() map[string]bool {
834+
return c.consensusIPWhitelist
835+
}
836+
813837
func (c *OecConfig) GetMempoolCheckTxCost() bool {
814838
return c.mempoolCheckTxCost
815839
}
@@ -831,6 +855,18 @@ func (c *OecConfig) SetNodeKeyWhitelist(value string) {
831855
}
832856
}
833857

858+
func (c *OecConfig) SetEnableP2PIPWhitelist(value bool) {
859+
c.enableP2PIPWhitelist = value
860+
}
861+
862+
func (c *OecConfig) SetConsensusIPWhitelist(value string) {
863+
c.consensusIPWhitelist = map[string]bool{}
864+
ipList := resolveNodeKeyWhitelist(value)
865+
for _, ip := range ipList {
866+
c.consensusIPWhitelist[strings.TrimSpace(ip)] = true
867+
}
868+
}
869+
834870
func (c *OecConfig) GetSentryAddrs() []string {
835871
return c.sentryAddrs
836872
}

libs/tendermint/blockchain/v0/reactor.go

+8
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99

1010
amino "github.com/tendermint/go-amino"
1111

12+
cfg "github.com/okex/exchain/libs/tendermint/config"
1213
"github.com/okex/exchain/libs/tendermint/libs/log"
1314
"github.com/okex/exchain/libs/tendermint/p2p"
1415
sm "github.com/okex/exchain/libs/tendermint/state"
@@ -221,6 +222,13 @@ func (bcR *BlockchainReactor) Receive(chID byte, src p2p.Peer, msgBytes []byte)
221222
case *bcBlockRequestMessage:
222223
bcR.respondToPeer(msg, src)
223224
case *bcBlockResponseMessage:
225+
if cfg.DynamicConfig.GetEnableP2PIPWhitelist() {
226+
okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()]
227+
if !okIP {
228+
bcR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String())
229+
return
230+
}
231+
}
224232
bcR.Logger.Info("AddBlock.", "Height", msg.Block.Height, "Peer", src.ID())
225233
bcR.pool.AddBlock(src.ID(), msg, len(msgBytes))
226234
case *bcStatusRequestMessage:

libs/tendermint/config/dynamic_config_okchain.go

+8
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,8 @@ type IDynamicConfig interface {
4141
GetMaxSubscriptionClients() int
4242
GetPendingPoolBlacklist() string
4343
GetMaxTxLimitPerPeer() uint64
44+
GetEnableP2PIPWhitelist() bool
45+
GetConsensusIPWhitelist() map[string]bool
4446
}
4547

4648
var DynamicConfig IDynamicConfig = MockDynamicConfig{}
@@ -233,3 +235,9 @@ func (d MockDynamicConfig) GetPendingPoolBlacklist() string {
233235
func (c MockDynamicConfig) GetMaxTxLimitPerPeer() uint64 {
234236
return DefaultMempoolConfig().MaxTxLimitPerPeer
235237
}
238+
239+
func (c MockDynamicConfig) GetEnableP2PIPWhitelist() bool { return false }
240+
241+
func (c MockDynamicConfig) GetConsensusIPWhitelist() map[string]bool {
242+
return map[string]bool{}
243+
}

libs/tendermint/consensus/reactor.go

+11-3
Original file line numberDiff line numberDiff line change
@@ -3,17 +3,17 @@ package consensus
33
import (
44
"bytes"
55
"fmt"
6-
"github.com/okex/exchain/libs/tendermint/crypto"
7-
"github.com/okex/exchain/libs/tendermint/libs/automation"
86
"reflect"
97
"sync"
108
"time"
119

1210
"github.com/pkg/errors"
13-
1411
amino "github.com/tendermint/go-amino"
1512

13+
cfg "github.com/okex/exchain/libs/tendermint/config"
1614
cstypes "github.com/okex/exchain/libs/tendermint/consensus/types"
15+
"github.com/okex/exchain/libs/tendermint/crypto"
16+
"github.com/okex/exchain/libs/tendermint/libs/automation"
1717
"github.com/okex/exchain/libs/tendermint/libs/bits"
1818
tmevents "github.com/okex/exchain/libs/tendermint/libs/events"
1919
"github.com/okex/exchain/libs/tendermint/libs/log"
@@ -343,6 +343,14 @@ func (conR *Reactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) {
343343
return
344344
}
345345

346+
if cfg.DynamicConfig.GetEnableP2PIPWhitelist() {
347+
okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()]
348+
if !okIP {
349+
conR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String())
350+
return
351+
}
352+
}
353+
346354
msg, err := decodeMsg(msgBytes)
347355
if err != nil {
348356
conR.Logger.Error("Error decoding message", "src", src, "chId", chID, "msg", msg, "err", err, "bytes", msgBytes)

libs/tendermint/evidence/reactor.go

+9
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77

88
amino "github.com/tendermint/go-amino"
99

10+
cfg "github.com/okex/exchain/libs/tendermint/config"
1011
clist "github.com/okex/exchain/libs/tendermint/libs/clist"
1112
"github.com/okex/exchain/libs/tendermint/libs/log"
1213
"github.com/okex/exchain/libs/tendermint/p2p"
@@ -63,6 +64,14 @@ func (evR *Reactor) AddPeer(peer p2p.Peer) {
6364
// Receive implements Reactor.
6465
// It adds any received evidence to the evpool.
6566
func (evR *Reactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) {
67+
if cfg.DynamicConfig.GetEnableP2PIPWhitelist() {
68+
okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()]
69+
if !okIP {
70+
evR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String())
71+
return
72+
}
73+
}
74+
6675
msg, err := decodeMsg(msgBytes)
6776
if err != nil {
6877
evR.Logger.Error("Error decoding message", "src", src, "chId", chID, "msg", msg, "err", err, "bytes", msgBytes)

libs/tendermint/rpc/core/status.go

+2
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,8 @@ func Status(ctx *rpctypes.Context) (*ctypes.ResultStatus, error) {
7272
VotingPower: votingPower,
7373
},
7474
}
75+
result.NodeInfo.ListenAddr = ""
76+
result.NodeInfo.Other.RPCAddress = ""
7577
// update Network to the ChainID in state
7678
result.NodeInfo.Network = env.ConsensusState.GetState().ChainID
7779

0 commit comments

Comments
 (0)