mirror of https://github.com/ethereum/go-ethereum
Merge pull request #3325 from fjl/p2p-netrestrict
Prevent relay of invalid IPs, add --netrestrictpull/3309/head
commit
d1a95c643e
@ -1,40 +0,0 @@ |
|||||||
// Copyright 2016 The go-ethereum Authors
|
|
||||||
// This file is part of the go-ethereum library.
|
|
||||||
//
|
|
||||||
// The go-ethereum library is free software: you can redistribute it and/or modify
|
|
||||||
// it under the terms of the GNU Lesser General Public License as published by
|
|
||||||
// the Free Software Foundation, either version 3 of the License, or
|
|
||||||
// (at your option) any later version.
|
|
||||||
//
|
|
||||||
// The go-ethereum library is distributed in the hope that it will be useful,
|
|
||||||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
// GNU Lesser General Public License for more details.
|
|
||||||
//
|
|
||||||
// You should have received a copy of the GNU Lesser General Public License
|
|
||||||
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
|
|
||||||
//+build windows
|
|
||||||
|
|
||||||
package discv5 |
|
||||||
|
|
||||||
import ( |
|
||||||
"net" |
|
||||||
"os" |
|
||||||
"syscall" |
|
||||||
) |
|
||||||
|
|
||||||
const _WSAEMSGSIZE = syscall.Errno(10040) |
|
||||||
|
|
||||||
// reports whether err indicates that a UDP packet didn't
|
|
||||||
// fit the receive buffer. On Windows, WSARecvFrom returns
|
|
||||||
// code WSAEMSGSIZE and no data if this happens.
|
|
||||||
func isPacketTooBig(err error) bool { |
|
||||||
if opErr, ok := err.(*net.OpError); ok { |
|
||||||
if scErr, ok := opErr.Err.(*os.SyscallError); ok { |
|
||||||
return scErr.Err == _WSAEMSGSIZE |
|
||||||
} |
|
||||||
return opErr.Err == _WSAEMSGSIZE |
|
||||||
} |
|
||||||
return false |
|
||||||
} |
|
@ -0,0 +1,73 @@ |
|||||||
|
// Copyright 2016 The go-ethereum Authors
|
||||||
|
// This file is part of the go-ethereum library.
|
||||||
|
//
|
||||||
|
// The go-ethereum library is free software: you can redistribute it and/or modify
|
||||||
|
// it under the terms of the GNU Lesser General Public License as published by
|
||||||
|
// the Free Software Foundation, either version 3 of the License, or
|
||||||
|
// (at your option) any later version.
|
||||||
|
//
|
||||||
|
// The go-ethereum library is distributed in the hope that it will be useful,
|
||||||
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
// GNU Lesser General Public License for more details.
|
||||||
|
//
|
||||||
|
// You should have received a copy of the GNU Lesser General Public License
|
||||||
|
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
package netutil |
||||||
|
|
||||||
|
import ( |
||||||
|
"net" |
||||||
|
"testing" |
||||||
|
"time" |
||||||
|
) |
||||||
|
|
||||||
|
// This test checks that isPacketTooBig correctly identifies
|
||||||
|
// errors that result from receiving a UDP packet larger
|
||||||
|
// than the supplied receive buffer.
|
||||||
|
func TestIsPacketTooBig(t *testing.T) { |
||||||
|
listener, err := net.ListenPacket("udp", "127.0.0.1:0") |
||||||
|
if err != nil { |
||||||
|
t.Fatal(err) |
||||||
|
} |
||||||
|
defer listener.Close() |
||||||
|
sender, err := net.Dial("udp", listener.LocalAddr().String()) |
||||||
|
if err != nil { |
||||||
|
t.Fatal(err) |
||||||
|
} |
||||||
|
defer sender.Close() |
||||||
|
|
||||||
|
sendN := 1800 |
||||||
|
recvN := 300 |
||||||
|
for i := 0; i < 20; i++ { |
||||||
|
go func() { |
||||||
|
buf := make([]byte, sendN) |
||||||
|
for i := range buf { |
||||||
|
buf[i] = byte(i) |
||||||
|
} |
||||||
|
sender.Write(buf) |
||||||
|
}() |
||||||
|
|
||||||
|
buf := make([]byte, recvN) |
||||||
|
listener.SetDeadline(time.Now().Add(1 * time.Second)) |
||||||
|
n, _, err := listener.ReadFrom(buf) |
||||||
|
if err != nil { |
||||||
|
if nerr, ok := err.(net.Error); ok && nerr.Timeout() { |
||||||
|
continue |
||||||
|
} |
||||||
|
if !isPacketTooBig(err) { |
||||||
|
t.Fatalf("unexpected read error: %v", err) |
||||||
|
} |
||||||
|
continue |
||||||
|
} |
||||||
|
if n != recvN { |
||||||
|
t.Fatalf("short read: %d, want %d", n, recvN) |
||||||
|
} |
||||||
|
for i := range buf { |
||||||
|
if buf[i] != byte(i) { |
||||||
|
t.Fatalf("error in pattern") |
||||||
|
break |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
} |
@ -0,0 +1,166 @@ |
|||||||
|
// Copyright 2016 The go-ethereum Authors
|
||||||
|
// This file is part of the go-ethereum library.
|
||||||
|
//
|
||||||
|
// The go-ethereum library is free software: you can redistribute it and/or modify
|
||||||
|
// it under the terms of the GNU Lesser General Public License as published by
|
||||||
|
// the Free Software Foundation, either version 3 of the License, or
|
||||||
|
// (at your option) any later version.
|
||||||
|
//
|
||||||
|
// The go-ethereum library is distributed in the hope that it will be useful,
|
||||||
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
// GNU Lesser General Public License for more details.
|
||||||
|
//
|
||||||
|
// You should have received a copy of the GNU Lesser General Public License
|
||||||
|
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
// Package netutil contains extensions to the net package.
|
||||||
|
package netutil |
||||||
|
|
||||||
|
import ( |
||||||
|
"errors" |
||||||
|
"net" |
||||||
|
"strings" |
||||||
|
) |
||||||
|
|
||||||
|
var lan4, lan6, special4, special6 Netlist |
||||||
|
|
||||||
|
func init() { |
||||||
|
// Lists from RFC 5735, RFC 5156,
|
||||||
|
// https://www.iana.org/assignments/iana-ipv4-special-registry/
|
||||||
|
lan4.Add("0.0.0.0/8") // "This" network
|
||||||
|
lan4.Add("10.0.0.0/8") // Private Use
|
||||||
|
lan4.Add("172.16.0.0/12") // Private Use
|
||||||
|
lan4.Add("192.168.0.0/16") // Private Use
|
||||||
|
lan6.Add("fe80::/10") // Link-Local
|
||||||
|
lan6.Add("fc00::/7") // Unique-Local
|
||||||
|
special4.Add("192.0.0.0/29") // IPv4 Service Continuity
|
||||||
|
special4.Add("192.0.0.9/32") // PCP Anycast
|
||||||
|
special4.Add("192.0.0.170/32") // NAT64/DNS64 Discovery
|
||||||
|
special4.Add("192.0.0.171/32") // NAT64/DNS64 Discovery
|
||||||
|
special4.Add("192.0.2.0/24") // TEST-NET-1
|
||||||
|
special4.Add("192.31.196.0/24") // AS112
|
||||||
|
special4.Add("192.52.193.0/24") // AMT
|
||||||
|
special4.Add("192.88.99.0/24") // 6to4 Relay Anycast
|
||||||
|
special4.Add("192.175.48.0/24") // AS112
|
||||||
|
special4.Add("198.18.0.0/15") // Device Benchmark Testing
|
||||||
|
special4.Add("198.51.100.0/24") // TEST-NET-2
|
||||||
|
special4.Add("203.0.113.0/24") // TEST-NET-3
|
||||||
|
special4.Add("255.255.255.255/32") // Limited Broadcast
|
||||||
|
|
||||||
|
// http://www.iana.org/assignments/iana-ipv6-special-registry/
|
||||||
|
special6.Add("100::/64") |
||||||
|
special6.Add("2001::/32") |
||||||
|
special6.Add("2001:1::1/128") |
||||||
|
special6.Add("2001:2::/48") |
||||||
|
special6.Add("2001:3::/32") |
||||||
|
special6.Add("2001:4:112::/48") |
||||||
|
special6.Add("2001:5::/32") |
||||||
|
special6.Add("2001:10::/28") |
||||||
|
special6.Add("2001:20::/28") |
||||||
|
special6.Add("2001:db8::/32") |
||||||
|
special6.Add("2002::/16") |
||||||
|
} |
||||||
|
|
||||||
|
// Netlist is a list of IP networks.
|
||||||
|
type Netlist []net.IPNet |
||||||
|
|
||||||
|
// ParseNetlist parses a comma-separated list of CIDR masks.
|
||||||
|
// Whitespace and extra commas are ignored.
|
||||||
|
func ParseNetlist(s string) (*Netlist, error) { |
||||||
|
ws := strings.NewReplacer(" ", "", "\n", "", "\t", "") |
||||||
|
masks := strings.Split(ws.Replace(s), ",") |
||||||
|
l := make(Netlist, 0) |
||||||
|
for _, mask := range masks { |
||||||
|
if mask == "" { |
||||||
|
continue |
||||||
|
} |
||||||
|
_, n, err := net.ParseCIDR(mask) |
||||||
|
if err != nil { |
||||||
|
return nil, err |
||||||
|
} |
||||||
|
l = append(l, *n) |
||||||
|
} |
||||||
|
return &l, nil |
||||||
|
} |
||||||
|
|
||||||
|
// Add parses a CIDR mask and appends it to the list. It panics for invalid masks and is
|
||||||
|
// intended to be used for setting up static lists.
|
||||||
|
func (l *Netlist) Add(cidr string) { |
||||||
|
_, n, err := net.ParseCIDR(cidr) |
||||||
|
if err != nil { |
||||||
|
panic(err) |
||||||
|
} |
||||||
|
*l = append(*l, *n) |
||||||
|
} |
||||||
|
|
||||||
|
// Contains reports whether the given IP is contained in the list.
|
||||||
|
func (l *Netlist) Contains(ip net.IP) bool { |
||||||
|
if l == nil { |
||||||
|
return false |
||||||
|
} |
||||||
|
for _, net := range *l { |
||||||
|
if net.Contains(ip) { |
||||||
|
return true |
||||||
|
} |
||||||
|
} |
||||||
|
return false |
||||||
|
} |
||||||
|
|
||||||
|
// IsLAN reports whether an IP is a local network address.
|
||||||
|
func IsLAN(ip net.IP) bool { |
||||||
|
if ip.IsLoopback() { |
||||||
|
return true |
||||||
|
} |
||||||
|
if v4 := ip.To4(); v4 != nil { |
||||||
|
return lan4.Contains(v4) |
||||||
|
} |
||||||
|
return lan6.Contains(ip) |
||||||
|
} |
||||||
|
|
||||||
|
// IsSpecialNetwork reports whether an IP is located in a special-use network range
|
||||||
|
// This includes broadcast, multicast and documentation addresses.
|
||||||
|
func IsSpecialNetwork(ip net.IP) bool { |
||||||
|
if ip.IsMulticast() { |
||||||
|
return true |
||||||
|
} |
||||||
|
if v4 := ip.To4(); v4 != nil { |
||||||
|
return special4.Contains(v4) |
||||||
|
} |
||||||
|
return special6.Contains(ip) |
||||||
|
} |
||||||
|
|
||||||
|
var ( |
||||||
|
errInvalid = errors.New("invalid IP") |
||||||
|
errUnspecified = errors.New("zero address") |
||||||
|
errSpecial = errors.New("special network") |
||||||
|
errLoopback = errors.New("loopback address from non-loopback host") |
||||||
|
errLAN = errors.New("LAN address from WAN host") |
||||||
|
) |
||||||
|
|
||||||
|
// CheckRelayIP reports whether an IP relayed from the given sender IP
|
||||||
|
// is a valid connection target.
|
||||||
|
//
|
||||||
|
// There are four rules:
|
||||||
|
// - Special network addresses are never valid.
|
||||||
|
// - Loopback addresses are OK if relayed by a loopback host.
|
||||||
|
// - LAN addresses are OK if relayed by a LAN host.
|
||||||
|
// - All other addresses are always acceptable.
|
||||||
|
func CheckRelayIP(sender, addr net.IP) error { |
||||||
|
if len(addr) != net.IPv4len && len(addr) != net.IPv6len { |
||||||
|
return errInvalid |
||||||
|
} |
||||||
|
if addr.IsUnspecified() { |
||||||
|
return errUnspecified |
||||||
|
} |
||||||
|
if IsSpecialNetwork(addr) { |
||||||
|
return errSpecial |
||||||
|
} |
||||||
|
if addr.IsLoopback() && !sender.IsLoopback() { |
||||||
|
return errLoopback |
||||||
|
} |
||||||
|
if IsLAN(addr) && !IsLAN(sender) { |
||||||
|
return errLAN |
||||||
|
} |
||||||
|
return nil |
||||||
|
} |
@ -0,0 +1,173 @@ |
|||||||
|
// Copyright 2016 The go-ethereum Authors
|
||||||
|
// This file is part of the go-ethereum library.
|
||||||
|
//
|
||||||
|
// The go-ethereum library is free software: you can redistribute it and/or modify
|
||||||
|
// it under the terms of the GNU Lesser General Public License as published by
|
||||||
|
// the Free Software Foundation, either version 3 of the License, or
|
||||||
|
// (at your option) any later version.
|
||||||
|
//
|
||||||
|
// The go-ethereum library is distributed in the hope that it will be useful,
|
||||||
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
// GNU Lesser General Public License for more details.
|
||||||
|
//
|
||||||
|
// You should have received a copy of the GNU Lesser General Public License
|
||||||
|
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
package netutil |
||||||
|
|
||||||
|
import ( |
||||||
|
"net" |
||||||
|
"reflect" |
||||||
|
"testing" |
||||||
|
|
||||||
|
"github.com/davecgh/go-spew/spew" |
||||||
|
) |
||||||
|
|
||||||
|
func TestParseNetlist(t *testing.T) { |
||||||
|
var tests = []struct { |
||||||
|
input string |
||||||
|
wantErr error |
||||||
|
wantList *Netlist |
||||||
|
}{ |
||||||
|
{ |
||||||
|
input: "", |
||||||
|
wantList: &Netlist{}, |
||||||
|
}, |
||||||
|
{ |
||||||
|
input: "127.0.0.0/8", |
||||||
|
wantErr: nil, |
||||||
|
wantList: &Netlist{{IP: net.IP{127, 0, 0, 0}, Mask: net.CIDRMask(8, 32)}}, |
||||||
|
}, |
||||||
|
{ |
||||||
|
input: "127.0.0.0/44", |
||||||
|
wantErr: &net.ParseError{Type: "CIDR address", Text: "127.0.0.0/44"}, |
||||||
|
}, |
||||||
|
{ |
||||||
|
input: "127.0.0.0/16, 23.23.23.23/24,", |
||||||
|
wantList: &Netlist{ |
||||||
|
{IP: net.IP{127, 0, 0, 0}, Mask: net.CIDRMask(16, 32)}, |
||||||
|
{IP: net.IP{23, 23, 23, 0}, Mask: net.CIDRMask(24, 32)}, |
||||||
|
}, |
||||||
|
}, |
||||||
|
} |
||||||
|
|
||||||
|
for _, test := range tests { |
||||||
|
l, err := ParseNetlist(test.input) |
||||||
|
if !reflect.DeepEqual(err, test.wantErr) { |
||||||
|
t.Errorf("%q: got error %q, want %q", test.input, err, test.wantErr) |
||||||
|
continue |
||||||
|
} |
||||||
|
if !reflect.DeepEqual(l, test.wantList) { |
||||||
|
spew.Dump(l) |
||||||
|
spew.Dump(test.wantList) |
||||||
|
t.Errorf("%q: got %v, want %v", test.input, l, test.wantList) |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
func TestNilNetListContains(t *testing.T) { |
||||||
|
var list *Netlist |
||||||
|
checkContains(t, list.Contains, nil, []string{"1.2.3.4"}) |
||||||
|
} |
||||||
|
|
||||||
|
func TestIsLAN(t *testing.T) { |
||||||
|
checkContains(t, IsLAN, |
||||||
|
[]string{ // included
|
||||||
|
"0.0.0.0", |
||||||
|
"0.2.0.8", |
||||||
|
"127.0.0.1", |
||||||
|
"10.0.1.1", |
||||||
|
"10.22.0.3", |
||||||
|
"172.31.252.251", |
||||||
|
"192.168.1.4", |
||||||
|
"fe80::f4a1:8eff:fec5:9d9d", |
||||||
|
"febf::ab32:2233", |
||||||
|
"fc00::4", |
||||||
|
}, |
||||||
|
[]string{ // excluded
|
||||||
|
"192.0.2.1", |
||||||
|
"1.0.0.0", |
||||||
|
"172.32.0.1", |
||||||
|
"fec0::2233", |
||||||
|
}, |
||||||
|
) |
||||||
|
} |
||||||
|
|
||||||
|
func TestIsSpecialNetwork(t *testing.T) { |
||||||
|
checkContains(t, IsSpecialNetwork, |
||||||
|
[]string{ // included
|
||||||
|
"192.0.2.1", |
||||||
|
"192.0.2.44", |
||||||
|
"2001:db8:85a3:8d3:1319:8a2e:370:7348", |
||||||
|
"255.255.255.255", |
||||||
|
"224.0.0.22", // IPv4 multicast
|
||||||
|
"ff05::1:3", // IPv6 multicast
|
||||||
|
}, |
||||||
|
[]string{ // excluded
|
||||||
|
"192.0.3.1", |
||||||
|
"1.0.0.0", |
||||||
|
"172.32.0.1", |
||||||
|
"fec0::2233", |
||||||
|
}, |
||||||
|
) |
||||||
|
} |
||||||
|
|
||||||
|
func checkContains(t *testing.T, fn func(net.IP) bool, inc, exc []string) { |
||||||
|
for _, s := range inc { |
||||||
|
if !fn(parseIP(s)) { |
||||||
|
t.Error("returned false for included address", s) |
||||||
|
} |
||||||
|
} |
||||||
|
for _, s := range exc { |
||||||
|
if fn(parseIP(s)) { |
||||||
|
t.Error("returned true for excluded address", s) |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
func parseIP(s string) net.IP { |
||||||
|
ip := net.ParseIP(s) |
||||||
|
if ip == nil { |
||||||
|
panic("invalid " + s) |
||||||
|
} |
||||||
|
return ip |
||||||
|
} |
||||||
|
|
||||||
|
func TestCheckRelayIP(t *testing.T) { |
||||||
|
tests := []struct { |
||||||
|
sender, addr string |
||||||
|
want error |
||||||
|
}{ |
||||||
|
{"127.0.0.1", "0.0.0.0", errUnspecified}, |
||||||
|
{"192.168.0.1", "0.0.0.0", errUnspecified}, |
||||||
|
{"23.55.1.242", "0.0.0.0", errUnspecified}, |
||||||
|
{"127.0.0.1", "255.255.255.255", errSpecial}, |
||||||
|
{"192.168.0.1", "255.255.255.255", errSpecial}, |
||||||
|
{"23.55.1.242", "255.255.255.255", errSpecial}, |
||||||
|
{"192.168.0.1", "127.0.2.19", errLoopback}, |
||||||
|
{"23.55.1.242", "192.168.0.1", errLAN}, |
||||||
|
|
||||||
|
{"127.0.0.1", "127.0.2.19", nil}, |
||||||
|
{"127.0.0.1", "192.168.0.1", nil}, |
||||||
|
{"127.0.0.1", "23.55.1.242", nil}, |
||||||
|
{"192.168.0.1", "192.168.0.1", nil}, |
||||||
|
{"192.168.0.1", "23.55.1.242", nil}, |
||||||
|
{"23.55.1.242", "23.55.1.242", nil}, |
||||||
|
} |
||||||
|
|
||||||
|
for _, test := range tests { |
||||||
|
err := CheckRelayIP(parseIP(test.sender), parseIP(test.addr)) |
||||||
|
if err != test.want { |
||||||
|
t.Errorf("%s from %s: got %q, want %q", test.addr, test.sender, err, test.want) |
||||||
|
} |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
func BenchmarkCheckRelayIP(b *testing.B) { |
||||||
|
sender := parseIP("23.55.1.242") |
||||||
|
addr := parseIP("23.55.1.2") |
||||||
|
for i := 0; i < b.N; i++ { |
||||||
|
CheckRelayIP(sender, addr) |
||||||
|
} |
||||||
|
} |
Loading…
Reference in new issue