TCPServer: use /64 prefix to ban IPv6 peers

This commit is contained in:
SChernykh 2023-04-27 10:28:32 +02:00
parent 754eb78a05
commit c94b627808
6 changed files with 31 additions and 18 deletions

View file

@ -591,7 +591,7 @@ void P2PServer::load_peer_list()
p.m_numFailedConnections = 0; p.m_numFailedConnections = 0;
p.m_lastSeen = seconds_since_epoch(); p.m_lastSeen = seconds_since_epoch();
if (!already_added && !is_banned(p.m_addr)) { if (!already_added && !is_banned(p.m_isV6, p.m_addr)) {
m_peerList.push_back(p); m_peerList.push_back(p);
} }
}); });
@ -661,7 +661,7 @@ void P2PServer::load_monerod_peer_list()
p.m_port = port; p.m_port = port;
p.m_numFailedConnections = 0; p.m_numFailedConnections = 0;
if (!is_banned(p.m_addr)) { if (!is_banned(p.m_isV6, p.m_addr)) {
m_peerListMonero.push_back(p); m_peerListMonero.push_back(p);
} }
} }
@ -694,7 +694,7 @@ void P2PServer::update_peer_in_list(bool is_v6, const raw_ip& ip, int port)
} }
} }
if (!is_banned(ip)) { if (!is_banned(is_v6, ip)) {
m_peerList.emplace_back(Peer{ is_v6, ip, port, 0, cur_time }); m_peerList.emplace_back(Peer{ is_v6, ip, port, 0, cur_time });
} }
} }
@ -2237,7 +2237,7 @@ void P2PServer::P2PClient::on_peer_list_response(const uint8_t* buf)
} }
} }
if (!already_added && !server->is_banned(ip)) { if (!already_added && !server->is_banned(is_v6, ip)) {
server->m_peerList.emplace_back(Peer{ is_v6, ip, port, 0, cur_time }); server->m_peerList.emplace_back(Peer{ is_v6, ip, port, 0, cur_time });
} }
} }
@ -2306,11 +2306,12 @@ bool P2PServer::P2PClient::handle_incoming_block_async(const PoolBlock* block, u
P2PClient* client; P2PClient* client;
P2PServer* server; P2PServer* server;
uint32_t client_reset_counter; uint32_t client_reset_counter;
bool client_isV6;
raw_ip client_ip; raw_ip client_ip;
std::vector<hash> missing_blocks; std::vector<hash> missing_blocks;
}; };
Work* work = new Work{ {}, *block, this, server, m_resetCounter.load(), m_addr, {} }; Work* work = new Work{ {}, *block, this, server, m_resetCounter.load(), m_isV6, m_addr, {} };
work->req.data = work; work->req.data = work;
const int err = uv_queue_work(&server->m_loop, &work->req, const int err = uv_queue_work(&server->m_loop, &work->req,
@ -2318,7 +2319,7 @@ bool P2PServer::P2PClient::handle_incoming_block_async(const PoolBlock* block, u
{ {
BACKGROUND_JOB_START(P2PServer::handle_incoming_block_async); BACKGROUND_JOB_START(P2PServer::handle_incoming_block_async);
Work* work = reinterpret_cast<Work*>(req->data); Work* work = reinterpret_cast<Work*>(req->data);
work->client->handle_incoming_block(work->server->m_pool, work->block, work->client_reset_counter, work->client_ip, work->missing_blocks); work->client->handle_incoming_block(work->server->m_pool, work->block, work->client_reset_counter, work->client_isV6, work->client_ip, work->missing_blocks);
}, },
[](uv_work_t* req, int /*status*/) [](uv_work_t* req, int /*status*/)
{ {
@ -2337,7 +2338,7 @@ bool P2PServer::P2PClient::handle_incoming_block_async(const PoolBlock* block, u
return true; return true;
} }
void P2PServer::P2PClient::handle_incoming_block(p2pool* pool, PoolBlock& block, const uint32_t reset_counter, const raw_ip& addr, std::vector<hash>& missing_blocks) void P2PServer::P2PClient::handle_incoming_block(p2pool* pool, PoolBlock& block, const uint32_t reset_counter, bool is_v6, const raw_ip& addr, std::vector<hash>& missing_blocks)
{ {
if (!pool->side_chain().add_external_block(block, missing_blocks)) { if (!pool->side_chain().add_external_block(block, missing_blocks)) {
// Client sent bad data, disconnect and ban it // Client sent bad data, disconnect and ban it
@ -2351,7 +2352,7 @@ void P2PServer::P2PClient::handle_incoming_block(p2pool* pool, PoolBlock& block,
} }
P2PServer* server = pool->p2p_server(); P2PServer* server = pool->p2p_server();
server->ban(addr, DEFAULT_BAN_TIME); server->ban(is_v6, addr, DEFAULT_BAN_TIME);
server->remove_peer_from_list(addr); server->remove_peer_from_list(addr);
} }
} }

View file

@ -111,7 +111,7 @@ public:
void on_peer_list_response(const uint8_t* buf); void on_peer_list_response(const uint8_t* buf);
bool handle_incoming_block_async(const PoolBlock* block, uint64_t max_time_delta = 0); bool handle_incoming_block_async(const PoolBlock* block, uint64_t max_time_delta = 0);
void handle_incoming_block(p2pool* pool, PoolBlock& block, const uint32_t reset_counter, const raw_ip& addr, std::vector<hash>& missing_blocks); void handle_incoming_block(p2pool* pool, PoolBlock& block, const uint32_t reset_counter, bool is_v6, const raw_ip& addr, std::vector<hash>& missing_blocks);
void post_handle_incoming_block(const uint32_t reset_counter, std::vector<hash>& missing_blocks); void post_handle_incoming_block(const uint32_t reset_counter, std::vector<hash>& missing_blocks);
bool is_good() const { return m_handshakeComplete && !m_handshakeInvalid && (m_listenPort >= 0); } bool is_good() const { return m_handshakeComplete && !m_handshakeInvalid && (m_listenPort >= 0); }

View file

@ -410,6 +410,7 @@ bool StratumServer::on_submit(StratumClient* client, uint32_t id, const char* jo
share->m_req.data = share; share->m_req.data = share;
share->m_server = this; share->m_server = this;
share->m_client = client; share->m_client = client;
share->m_clientIPv6 = client->m_isV6;
share->m_clientAddr = client->m_addr; share->m_clientAddr = client->m_addr;
share->m_clientResetCounter = client->m_resetCounter.load(); share->m_clientResetCounter = client->m_resetCounter.load();
share->m_rpcId = client->m_rpcId; share->m_rpcId = client->m_rpcId;
@ -843,7 +844,7 @@ void StratumServer::on_share_found(uv_work_t* req)
SubmittedShare* share = reinterpret_cast<SubmittedShare*>(req->data); SubmittedShare* share = reinterpret_cast<SubmittedShare*>(req->data);
StratumServer* server = share->m_server; StratumServer* server = share->m_server;
if (server->is_banned(share->m_clientAddr)) { if (server->is_banned(share->m_clientIPv6, share->m_clientAddr)) {
share->m_highEnoughDifficulty = false; share->m_highEnoughDifficulty = false;
share->m_result = SubmittedShare::Result::BANNED; share->m_result = SubmittedShare::Result::BANNED;
return; return;
@ -1019,7 +1020,7 @@ void StratumServer::on_after_share_found(uv_work_t* req, int /*status*/)
} }
} }
else if (bad_share) { else if (bad_share) {
server->ban(share->m_clientAddr, DEFAULT_BAN_TIME); server->ban(share->m_clientIPv6, share->m_clientAddr, DEFAULT_BAN_TIME);
} }
} }

View file

@ -142,6 +142,7 @@ private:
uv_work_t m_req; uv_work_t m_req;
StratumServer* m_server; StratumServer* m_server;
StratumClient* m_client; StratumClient* m_client;
bool m_clientIPv6;
raw_ip m_clientAddr; raw_ip m_clientAddr;
uint32_t m_clientResetCounter; uint32_t m_clientResetCounter;
uint32_t m_rpcId; uint32_t m_rpcId;

View file

@ -300,12 +300,17 @@ bool TCPServer::connect_to_peer(bool is_v6, const raw_ip& ip, int port)
return connect_to_peer(client); return connect_to_peer(client);
} }
bool TCPServer::is_banned(const raw_ip& ip) bool TCPServer::is_banned(bool is_v6, raw_ip ip)
{ {
if (ip.is_localhost()) { if (ip.is_localhost()) {
return false; return false;
} }
// If it's IPv6, check the whole /64 prefix
if (is_v6 && !ip.is_ipv4_prefix()) {
memset(ip.data + 8, 0, sizeof(ip.data) - 8);
}
const auto cur_time = std::chrono::steady_clock::now(); const auto cur_time = std::chrono::steady_clock::now();
MutexLock lock(m_bansLock); MutexLock lock(m_bansLock);
@ -324,7 +329,7 @@ bool TCPServer::is_banned(const raw_ip& ip)
bool TCPServer::connect_to_peer(Client* client) bool TCPServer::connect_to_peer(Client* client)
{ {
if (is_banned(client->m_addr)) { if (is_banned(client->m_isV6, client->m_addr)) {
LOGINFO(5, "peer " << log::Gray() << static_cast<char*>(client->m_addrString) << log::NoColor() << " is banned, not connecting to it"); LOGINFO(5, "peer " << log::Gray() << static_cast<char*>(client->m_addrString) << log::NoColor() << " is banned, not connecting to it");
return_client(client); return_client(client);
return false; return false;
@ -482,12 +487,17 @@ void TCPServer::print_status()
); );
} }
void TCPServer::ban(const raw_ip& ip, uint64_t seconds) void TCPServer::ban(bool is_v6, raw_ip ip, uint64_t seconds)
{ {
if (ip.is_localhost()) { if (ip.is_localhost()) {
return; return;
} }
// If it's IPv6, ban the whole /64 prefix
if (is_v6 && !ip.is_ipv4_prefix()) {
memset(ip.data + 8, 0, sizeof(ip.data) - 8);
}
const auto ban_time = std::chrono::steady_clock::now() + std::chrono::seconds(seconds); const auto ban_time = std::chrono::steady_clock::now() + std::chrono::seconds(seconds);
MutexLock lock(m_bansLock); MutexLock lock(m_bansLock);
@ -772,7 +782,7 @@ void TCPServer::on_new_client(uv_stream_t* server, Client* client)
LOGINFO(5, "new connection " << (client->m_isIncoming ? "from " : "to ") << log::Gray() << static_cast<char*>(client->m_addrString)); LOGINFO(5, "new connection " << (client->m_isIncoming ? "from " : "to ") << log::Gray() << static_cast<char*>(client->m_addrString));
if (is_banned(client->m_addr)) { if (is_banned(client->m_isV6, client->m_addr)) {
LOGINFO(5, "peer " << log::Gray() << static_cast<char*>(client->m_addrString) << log::NoColor() << " is banned, disconnecting"); LOGINFO(5, "peer " << log::Gray() << static_cast<char*>(client->m_addrString) << log::NoColor() << " is banned, disconnecting");
client->close(); client->close();
return; return;
@ -1209,7 +1219,7 @@ void TCPServer::Client::ban(uint64_t seconds)
if (m_owner) { if (m_owner) {
LOGWARN(3, "peer " << static_cast<char*>(m_addrString) << " banned for " << seconds << " seconds"); LOGWARN(3, "peer " << static_cast<char*>(m_addrString) << " banned for " << seconds << " seconds");
m_owner->ban(m_addr, seconds); m_owner->ban(m_isV6, m_addr, seconds);
} }
} }

View file

@ -44,7 +44,7 @@ public:
bool connect_to_peer(bool is_v6, const raw_ip& ip, int port); bool connect_to_peer(bool is_v6, const raw_ip& ip, int port);
virtual void on_connect_failed(bool /*is_v6*/, const raw_ip& /*ip*/, int /*port*/) {} virtual void on_connect_failed(bool /*is_v6*/, const raw_ip& /*ip*/, int /*port*/) {}
void ban(const raw_ip& ip, uint64_t seconds); void ban(bool is_v6, raw_ip ip, uint64_t seconds);
virtual void print_bans(); virtual void print_bans();
struct Client struct Client
@ -188,7 +188,7 @@ protected:
uv_mutex_t m_bansLock; uv_mutex_t m_bansLock;
unordered_map<raw_ip, std::chrono::steady_clock::time_point> m_bans; unordered_map<raw_ip, std::chrono::steady_clock::time_point> m_bans;
bool is_banned(const raw_ip& ip); bool is_banned(bool is_v6, raw_ip ip);
unordered_set<raw_ip> m_pendingConnections; unordered_set<raw_ip> m_pendingConnections;