From 88f26b4558394e35c66fe3ecf6a2d5cec0ed4d6a Mon Sep 17 00:00:00 2001 From: chengzhinei Date: Thu, 11 Jul 2024 15:55:15 +0800 Subject: [PATCH] add consensus ip whitelist (#3311) * add consensus ip whitelist * hanle fastsync and evidence * add enableConsensusIPWhitelist * consensus to p2p * let status rsp addr empty --------- Co-authored-by: oker --- app/config/config.go | 36 +++++++++++++++++++ libs/tendermint/blockchain/v0/reactor.go | 8 +++++ .../config/dynamic_config_okchain.go | 8 +++++ libs/tendermint/consensus/reactor.go | 14 ++++++-- libs/tendermint/evidence/reactor.go | 9 +++++ libs/tendermint/rpc/core/status.go | 2 ++ 6 files changed, 74 insertions(+), 3 deletions(-) diff --git a/app/config/config.go b/app/config/config.go index 67f069b012..cfe6832c31 100644 --- a/app/config/config.go +++ b/app/config/config.go @@ -137,6 +137,9 @@ type OecConfig struct { maxSubscriptionClients int maxTxLimitPerPeer uint64 + + enableP2PIPWhitelist bool + consensusIPWhitelist map[string]bool } const ( @@ -168,6 +171,8 @@ const ( FlagDynamicGpMaxTxNum = "dynamic-gp-max-tx-num" FlagEnableWrappedTx = "enable-wtx" FlagSentryAddrs = "p2p.sentry_addrs" + FlagEnableP2PIPWhitelist = "p2p.enable_ip_whitelist" + FlagConsensusIPWhitelist = "p2p.consensus_ip_whitelist" FlagCsTimeoutPropose = "consensus.timeout_propose" FlagCsTimeoutProposeDelta = "consensus.timeout_propose_delta" FlagCsTimeoutPrevote = "consensus.timeout_prevote" @@ -280,6 +285,7 @@ func defaultOecConfig() *OecConfig { mempoolForceRecheckGap: 2000, commitGapHeight: iavlconfig.DefaultCommitGapHeight, iavlFSCacheSize: tmiavl.DefaultIavlFastStorageCacheSize, + consensusIPWhitelist: map[string]bool{}, } } @@ -331,6 +337,8 @@ func (c *OecConfig) loadFromConfig() { c.SetCommitGapHeight(viper.GetInt64(server.FlagCommitGapHeight)) c.SetSentryAddrs(viper.GetString(FlagSentryAddrs)) c.SetNodeKeyWhitelist(viper.GetString(FlagNodeKeyWhitelist)) + c.SetEnableP2PIPWhitelist(viper.GetBool(FlagEnableP2PIPWhitelist)) + c.SetConsensusIPWhitelist(viper.GetString(FlagConsensusIPWhitelist)) c.SetEnableWtx(viper.GetBool(FlagEnableWrappedTx)) c.SetEnableAnalyzer(viper.GetBool(trace.FlagEnableAnalyzer)) c.SetDeliverTxsExecuteMode(viper.GetInt(state.FlagDeliverTxsExecMode)) @@ -511,6 +519,14 @@ func (c *OecConfig) updateFromKVStr(k, v string) { c.SetPendingPoolBlacklist(v) case FlagNodeKeyWhitelist: c.SetNodeKeyWhitelist(v) + case FlagEnableP2PIPWhitelist: + r, err := strconv.ParseBool(v) + if err != nil { + return + } + c.SetEnableP2PIPWhitelist(r) + case FlagConsensusIPWhitelist: + c.SetConsensusIPWhitelist(v) case FlagMempoolCheckTxCost: r, err := strconv.ParseBool(v) if err != nil { @@ -810,6 +826,14 @@ func (c *OecConfig) GetNodeKeyWhitelist() []string { return c.nodeKeyWhitelist } +func (c *OecConfig) GetEnableP2PIPWhitelist() bool { + return c.enableP2PIPWhitelist +} + +func (c *OecConfig) GetConsensusIPWhitelist() map[string]bool { + return c.consensusIPWhitelist +} + func (c *OecConfig) GetMempoolCheckTxCost() bool { return c.mempoolCheckTxCost } @@ -831,6 +855,18 @@ func (c *OecConfig) SetNodeKeyWhitelist(value string) { } } +func (c *OecConfig) SetEnableP2PIPWhitelist(value bool) { + c.enableP2PIPWhitelist = value +} + +func (c *OecConfig) SetConsensusIPWhitelist(value string) { + c.consensusIPWhitelist = map[string]bool{} + ipList := resolveNodeKeyWhitelist(value) + for _, ip := range ipList { + c.consensusIPWhitelist[strings.TrimSpace(ip)] = true + } +} + func (c *OecConfig) GetSentryAddrs() []string { return c.sentryAddrs } diff --git a/libs/tendermint/blockchain/v0/reactor.go b/libs/tendermint/blockchain/v0/reactor.go index 7c4c438451..2731b54973 100644 --- a/libs/tendermint/blockchain/v0/reactor.go +++ b/libs/tendermint/blockchain/v0/reactor.go @@ -9,6 +9,7 @@ import ( amino "github.com/tendermint/go-amino" + cfg "github.com/okex/exchain/libs/tendermint/config" "github.com/okex/exchain/libs/tendermint/libs/log" "github.com/okex/exchain/libs/tendermint/p2p" sm "github.com/okex/exchain/libs/tendermint/state" @@ -221,6 +222,13 @@ func (bcR *BlockchainReactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) case *bcBlockRequestMessage: bcR.respondToPeer(msg, src) case *bcBlockResponseMessage: + if cfg.DynamicConfig.GetEnableP2PIPWhitelist() { + okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()] + if !okIP { + bcR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String()) + return + } + } bcR.Logger.Info("AddBlock.", "Height", msg.Block.Height, "Peer", src.ID()) bcR.pool.AddBlock(src.ID(), msg, len(msgBytes)) case *bcStatusRequestMessage: diff --git a/libs/tendermint/config/dynamic_config_okchain.go b/libs/tendermint/config/dynamic_config_okchain.go index d990f8b012..c52081d778 100644 --- a/libs/tendermint/config/dynamic_config_okchain.go +++ b/libs/tendermint/config/dynamic_config_okchain.go @@ -41,6 +41,8 @@ type IDynamicConfig interface { GetMaxSubscriptionClients() int GetPendingPoolBlacklist() string GetMaxTxLimitPerPeer() uint64 + GetEnableP2PIPWhitelist() bool + GetConsensusIPWhitelist() map[string]bool } var DynamicConfig IDynamicConfig = MockDynamicConfig{} @@ -233,3 +235,9 @@ func (d MockDynamicConfig) GetPendingPoolBlacklist() string { func (c MockDynamicConfig) GetMaxTxLimitPerPeer() uint64 { return DefaultMempoolConfig().MaxTxLimitPerPeer } + +func (c MockDynamicConfig) GetEnableP2PIPWhitelist() bool { return false } + +func (c MockDynamicConfig) GetConsensusIPWhitelist() map[string]bool { + return map[string]bool{} +} diff --git a/libs/tendermint/consensus/reactor.go b/libs/tendermint/consensus/reactor.go index 7cac3075f4..4b11d97b8a 100644 --- a/libs/tendermint/consensus/reactor.go +++ b/libs/tendermint/consensus/reactor.go @@ -3,17 +3,17 @@ package consensus import ( "bytes" "fmt" - "github.com/okex/exchain/libs/tendermint/crypto" - "github.com/okex/exchain/libs/tendermint/libs/automation" "reflect" "sync" "time" "github.com/pkg/errors" - amino "github.com/tendermint/go-amino" + cfg "github.com/okex/exchain/libs/tendermint/config" cstypes "github.com/okex/exchain/libs/tendermint/consensus/types" + "github.com/okex/exchain/libs/tendermint/crypto" + "github.com/okex/exchain/libs/tendermint/libs/automation" "github.com/okex/exchain/libs/tendermint/libs/bits" tmevents "github.com/okex/exchain/libs/tendermint/libs/events" "github.com/okex/exchain/libs/tendermint/libs/log" @@ -343,6 +343,14 @@ func (conR *Reactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) { return } + if cfg.DynamicConfig.GetEnableP2PIPWhitelist() { + okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()] + if !okIP { + conR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String()) + return + } + } + msg, err := decodeMsg(msgBytes) if err != nil { conR.Logger.Error("Error decoding message", "src", src, "chId", chID, "msg", msg, "err", err, "bytes", msgBytes) diff --git a/libs/tendermint/evidence/reactor.go b/libs/tendermint/evidence/reactor.go index a0e7f34b1c..a48fd6f8c6 100644 --- a/libs/tendermint/evidence/reactor.go +++ b/libs/tendermint/evidence/reactor.go @@ -7,6 +7,7 @@ import ( amino "github.com/tendermint/go-amino" + cfg "github.com/okex/exchain/libs/tendermint/config" clist "github.com/okex/exchain/libs/tendermint/libs/clist" "github.com/okex/exchain/libs/tendermint/libs/log" "github.com/okex/exchain/libs/tendermint/p2p" @@ -63,6 +64,14 @@ func (evR *Reactor) AddPeer(peer p2p.Peer) { // Receive implements Reactor. // It adds any received evidence to the evpool. func (evR *Reactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) { + if cfg.DynamicConfig.GetEnableP2PIPWhitelist() { + okIP := cfg.DynamicConfig.GetConsensusIPWhitelist()[src.RemoteIP().String()] + if !okIP { + evR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String()) + return + } + } + msg, err := decodeMsg(msgBytes) if err != nil { evR.Logger.Error("Error decoding message", "src", src, "chId", chID, "msg", msg, "err", err, "bytes", msgBytes) diff --git a/libs/tendermint/rpc/core/status.go b/libs/tendermint/rpc/core/status.go index 9a22e31dd5..80f0f305c1 100644 --- a/libs/tendermint/rpc/core/status.go +++ b/libs/tendermint/rpc/core/status.go @@ -72,6 +72,8 @@ func Status(ctx *rpctypes.Context) (*ctypes.ResultStatus, error) { VotingPower: votingPower, }, } + result.NodeInfo.ListenAddr = "" + result.NodeInfo.Other.RPCAddress = "" // update Network to the ChainID in state result.NodeInfo.Network = env.ConsensusState.GetState().ChainID