Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subnet-Based Peer Permissions #7168

Merged
merged 30 commits into from
Jun 13, 2024
Merged

Subnet-Based Peer Permissions #7168

merged 30 commits into from
Jun 13, 2024

Conversation

Gabriel-Trintinalia
Copy link
Contributor

@Gabriel-Trintinalia Gabriel-Trintinalia commented Jun 4, 2024
edited
Loading

PR description

This pull request introduces a new feature for managing peer permissions based on IP subnet configurations in the networking layer. The core addition is the PeerPermissionSubnet class, which extends the existing PeerPermissions class to allow for the specification of allowed IP subnets. Peers whose IP addresses fall within these allowed subnets are granted access, enhancing the network's security by ensuring that only peers from specific, trusted IP ranges can interact with the node.

Fixed Issue(s)

Fixes #6620

Key Changes:

  • PeerPermissionSubnet Class: This class implements logic to control access based on IP subnet configurations. It applies restrictions to all peer actions, including but not limited to, sending and receiving messages in both the discovery protocol and the RLPx transport layer. If no subnets are specified, the default behaviour permits all peers.

  • CLI Configuration: The introduction of the --net-restrict CLI option allows network administrators to specify allowed IP subnets directly through the CLI. This option accepts a comma-separated list of subnet specifications (e.g., --net-restrict=192.168.1.0/24,10.0.0.0/8), converting them into SubnetInfo objects using the SubnetInfoConverter. If this option is not utilised, no subnet-based peer permission restrictions will be applied, allowing the network to operate without these specific constraints.

@Gabriel-Trintinalia
Initial implementation of net restrict
1e2cb65 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Refactoring and tests
991fc41 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Simplify code
bce4085 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Merge branch 'hyperledger:main' into 6620-enable-IP-filtering
5a180dc
@Gabriel-Trintinalia
Merge branch 'main' into 6620-enable-IP-filtering
eb18207
@Gabriel-Trintinalia
Remove manual parsing of rule filter
d9b6073 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Refactor to fail at startup instead of runtime
6971290 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Remove redundant utility class
3462116 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Merge branch 'main' into 6620-enable-IP-filtering
0063584
@Gabriel-Trintinalia
Fix javadoc
2adb525 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Refactor to control the peer connection in the permission level
cabf377 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Change javadoc
9bcfdfd 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Merge branch 'main' into 6620-enable-IP-filtering
d849575
@Gabriel-Trintinalia
Change javadoc
6fb5be0 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Merge branch 'main' into 6620-enable-IP-filtering
6762e3c
@Gabriel-Trintinalia
Merge branch 'main' into 6620-enable-IP-filtering
9c7de7d
@Gabriel-Trintinalia
Change version to versions gradle
7a7bc30 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia Gabriel-Trintinalia changed the title 6620 enable ip filtering Subnet-Based Peer Permissions with Optional CLI Control Jun 5, 2024
@Gabriel-Trintinalia Gabriel-Trintinalia changed the title Subnet-Based Peer Permissions with Optional CLI Control Subnet-Based Peer Permissions Jun 5, 2024
@Gabriel-Trintinalia Gabriel-Trintinalia added the doc-change-required Indicates an issue or PR that requires doc to be updated label Jun 5, 2024
@Gabriel-Trintinalia
Change CHANGELOG.md
62c690e 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Add tests
2ca8d51 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia Gabriel-Trintinalia marked this pull request as ready for review June 6, 2024 00:11
@Gabriel-Trintinalia
Change log level
c575047 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Simplify code
650537d 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Simplify code
e7314e6 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
PR suggestions
d4119a0 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Merge main into branch
fe82274 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Add dependency
f2c01c7 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Merge branch 'main' into 6620-enable-IP-filtering
30d716d
@Gabriel-Trintinalia
Fix sha256
10c928d 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Merge branch '6620-enable-IP-filtering' of https://github.com/Gabriel…
d994756 
…-Trintinalia/besu into 6620-enable-IP-filtering
@Gabriel-Trintinalia
add extra null check
13edd8d 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia
Merge main into branch
57f4513 
Signed-off-by: Gabriel-Trintinalia <gabriel.trintinalia@consensys.net>
@Gabriel-Trintinalia Gabriel-Trintinalia enabled auto-merge (squash) June 13, 2024 04:18
@Gabriel-Trintinalia Gabriel-Trintinalia merged commit e3e86c7 into hyperledger:main Jun 13, 2024
40 checks passed
@joaniefromtheblock joaniefromtheblock mentioned this pull request Jun 19, 2024
Closed
@joaniefromtheblock joaniefromtheblock removed the doc-change-required Indicates an issue or PR that requires doc to be updated label Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jframe jframe jframe approved these changes

@pinges pinges Awaiting requested review from pinges

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

--netrestrict feature to enable IP filtering for Besu nodes used in key infrastructure
3 participants
@Gabriel-Trintinalia @jframe @joaniefromtheblock