diff --git a/app/config/config.go b/app/config/config.go index 9bee4bc596..1e28041ef2 100644 --- a/app/config/config.go +++ b/app/config/config.go @@ -126,6 +126,9 @@ type OecConfig struct { maxSubscriptionClients int maxTxLimitPerPeer uint64 + + enableP2PIPWhitelist bool + consensusIPWhitelist map[string]bool } const ( @@ -153,6 +156,8 @@ const ( FlagDynamicGpMaxTxNum = "dynamic-gp-max-tx-num" FlagEnableWrappedTx = "enable-wtx" FlagSentryAddrs = "p2p.sentry_addrs" + FlagEnableP2PIPWhitelist = "p2p.enable_ip_whitelist" + FlagConsensusIPWhitelist = "p2p.consensus_ip_whitelist" FlagCsTimeoutPropose = "consensus.timeout_propose" FlagCsTimeoutProposeDelta = "consensus.timeout_propose_delta" FlagCsTimeoutPrevote = "consensus.timeout_prevote" @@ -260,6 +265,7 @@ func defaultOecConfig() *OecConfig { mempoolForceRecheckGap: 2000, commitGapHeight: iavlconfig.DefaultCommitGapHeight, iavlFSCacheSize: tmiavl.DefaultIavlFastStorageCacheSize, + consensusIPWhitelist: map[string]bool{}, } } @@ -316,6 +322,9 @@ func (c *OecConfig) loadFromConfig() { c.SetGcInterval(viper.GetInt(FlagDebugGcInterval)) c.SetIavlAcNoBatch(viper.GetBool(tmiavl.FlagIavlCommitAsyncNoBatch)) c.SetMaxSubscriptionClients(viper.GetInt(FlagMaxSubscriptionClients)) + + c.SetEnableP2PIPWhitelist(viper.GetBool(FlagEnableP2PIPWhitelist)) + c.SetConsensusIPWhitelist(viper.GetString(FlagConsensusIPWhitelist)) } func resolveNodeKeyWhitelist(plain string) []string { @@ -680,6 +689,14 @@ func (c *OecConfig) updateFromKVStr(k, v string) { return } c.SetMaxSubscriptionClients(r) + case FlagEnableP2PIPWhitelist: + r, err := strconv.ParseBool(v) + if err != nil { + return + } + c.SetEnableP2PIPWhitelist(r) + case FlagConsensusIPWhitelist: + c.SetConsensusIPWhitelist(v) } } @@ -1119,3 +1136,23 @@ func (c *OecConfig) SetMaxTxLimitPerPeer(maxTxLimitPerPeer int64) { func (c *OecConfig) GetMaxTxLimitPerPeer() uint64 { return c.maxTxLimitPerPeer } + +func (c *OecConfig) GetEnableP2PIPWhitelist() bool { + return c.enableP2PIPWhitelist +} + +func (c *OecConfig) GetConsensusIPWhitelist() map[string]bool { + return c.consensusIPWhitelist +} + +func (c *OecConfig) SetEnableP2PIPWhitelist(value bool) { + c.enableP2PIPWhitelist = value +} + +func (c *OecConfig) SetConsensusIPWhitelist(value string) { + c.consensusIPWhitelist = map[string]bool{} + ipList := resolveNodeKeyWhitelist(value) + for _, ip := range ipList { + c.consensusIPWhitelist[strings.TrimSpace(ip)] = true + } +} diff --git a/libs/tendermint/blockchain/v0/reactor.go b/libs/tendermint/blockchain/v0/reactor.go index d0b8914531..b8487ca7f5 100644 --- a/libs/tendermint/blockchain/v0/reactor.go +++ b/libs/tendermint/blockchain/v0/reactor.go @@ -3,6 +3,7 @@ package v0 import ( "errors" "fmt" + cfg "github.com/okex/exchain/libs/tendermint/config" "reflect" "sync" "time" @@ -221,6 +222,13 @@ func (bcR *BlockchainReactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) case *bcBlockRequestMessage: bcR.respondToPeer(msg, src) case *bcBlockResponseMessage: + if cfg.DynamicConfig.GetEnableP2PIPWhitelist() { + okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()] + if !okIP { + bcR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String()) + return + } + } bcR.Logger.Info("AddBlock.", "Height", msg.Block.Height, "Peer", src.ID()) bcR.pool.AddBlock(src.ID(), msg, len(msgBytes)) case *bcStatusRequestMessage: diff --git a/libs/tendermint/config/dynamic_config_okchain.go b/libs/tendermint/config/dynamic_config_okchain.go index 58687743bb..adf8df22b1 100644 --- a/libs/tendermint/config/dynamic_config_okchain.go +++ b/libs/tendermint/config/dynamic_config_okchain.go @@ -35,6 +35,8 @@ type IDynamicConfig interface { GetDynamicGpMaxGasUsed() int64 GetMaxSubscriptionClients() int GetMaxTxLimitPerPeer() uint64 + GetEnableP2PIPWhitelist() bool + GetConsensusIPWhitelist() map[string]bool } var DynamicConfig IDynamicConfig = MockDynamicConfig{} @@ -203,3 +205,9 @@ func (d *MockDynamicConfig) SetMaxSubscriptionClients(value int) { func (c MockDynamicConfig) GetMaxTxLimitPerPeer() uint64 { return DefaultMempoolConfig().MaxTxLimitPerPeer } + +func (c MockDynamicConfig) GetEnableP2PIPWhitelist() bool { return false } + +func (c MockDynamicConfig) GetConsensusIPWhitelist() map[string]bool { + return map[string]bool{} +} diff --git a/libs/tendermint/consensus/reactor.go b/libs/tendermint/consensus/reactor.go index 7cac3075f4..0f97f87b73 100644 --- a/libs/tendermint/consensus/reactor.go +++ b/libs/tendermint/consensus/reactor.go @@ -3,6 +3,7 @@ package consensus import ( "bytes" "fmt" + cfg "github.com/okex/exchain/libs/tendermint/config" "github.com/okex/exchain/libs/tendermint/crypto" "github.com/okex/exchain/libs/tendermint/libs/automation" "reflect" @@ -343,6 +344,14 @@ func (conR *Reactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) { return } + if cfg.DynamicConfig.GetEnableP2PIPWhitelist() { + okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()] + if !okIP { + conR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String()) + return + } + } + msg, err := decodeMsg(msgBytes) if err != nil { conR.Logger.Error("Error decoding message", "src", src, "chId", chID, "msg", msg, "err", err, "bytes", msgBytes) diff --git a/libs/tendermint/evidence/reactor.go b/libs/tendermint/evidence/reactor.go index a0e7f34b1c..3e7db66057 100644 --- a/libs/tendermint/evidence/reactor.go +++ b/libs/tendermint/evidence/reactor.go @@ -2,6 +2,7 @@ package evidence import ( "fmt" + cfg "github.com/okex/exchain/libs/tendermint/config" "reflect" "time" @@ -63,6 +64,14 @@ func (evR *Reactor) AddPeer(peer p2p.Peer) { // Receive implements Reactor. // It adds any received evidence to the evpool. func (evR *Reactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) { + if cfg.DynamicConfig.GetEnableP2PIPWhitelist() { + okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()] + if !okIP { + evR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String()) + return + } + } + msg, err := decodeMsg(msgBytes) if err != nil { evR.Logger.Error("Error decoding message", "src", src, "chId", chID, "msg", msg, "err", err, "bytes", msgBytes) diff --git a/libs/tendermint/rpc/core/status.go b/libs/tendermint/rpc/core/status.go index 9a22e31dd5..80f0f305c1 100644 --- a/libs/tendermint/rpc/core/status.go +++ b/libs/tendermint/rpc/core/status.go @@ -72,6 +72,8 @@ func Status(ctx *rpctypes.Context) (*ctypes.ResultStatus, error) { VotingPower: votingPower, }, } + result.NodeInfo.ListenAddr = "" + result.NodeInfo.Other.RPCAddress = "" // update Network to the ChainID in state result.NodeInfo.Network = env.ConsensusState.GetState().ChainID