Skip to content

manager: Expose option to forbid dialing private IP addresses #412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 22 commits into
base: master
Choose a base branch
from
+317 −51
Open

manager: Expose option to forbid dialing private IP addresses #412

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
b7de544
config: Add local dialing behavior on the builder
lexnv Jul 8, 2025
37ded8f
manager: Pass the use private IP option to the manager
lexnv Jul 8, 2025
3efda1d
transport: Dial only global IPs if specified
lexnv Jul 8, 2025
d520463
manager: Skip dialing provided address if not global
lexnv Jul 8, 2025
a13d602
manager/address: Remove unneeded method
lexnv Jul 8, 2025
b2299d8
kad: Apply cargo fmt
lexnv Jul 8, 2025
bef61da
cargo: Use plain version format
lexnv Jul 8, 2025
94ceb62
manager: Add wrapper for IP dialing mode
lexnv Jul 8, 2025
0b007dc
manager: Report errors earlier on ip dialing mode from handlers
lexnv Jul 8, 2025
c75924f
manager: Use the new ip mode
lexnv Jul 8, 2025
7b895ad
manager: Fix ip dialing mode condition and add debug logs
lexnv Jul 8, 2025
5ce55c3
error: Remove unneeded error variant
lexnv Oct 14, 2025
9ee1190
Merge remote-tracking branch 'origin/master' into lexnv/allow-private…
lexnv Oct 14, 2025
c0785e6
manager: Remove addresses_iter fn
lexnv Oct 14, 2025
dc73acc
manager: Deny private IP in DNS resolution
lexnv Oct 14, 2025
95b8b30
manager: Refactor builder to use ip_dialing_mode
lexnv Oct 21, 2025
cea33f0
tcp: Propagate ip dialing mode to tcp
lexnv Oct 21, 2025
9ff3fe8
tcp: Ensure DNS lookups are not dialing forbidden IPs
lexnv Oct 21, 2025
dd44a83
websocket: Introduce IP dialing mode
lexnv Oct 21, 2025
4fc1943
Adjust testing
lexnv Oct 21, 2025
5d35042
Merge remote-tracking branch 'origin/master' into lexnv/allow-private…
lexnv Oct 21, 2025
ed3921e
manager/handle: Remove unneeded check
lexnv Oct 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ x509-parser = "0.17.0"
yasna = "0.5.0"
zeroize = "1.8.1"
yamux = "0.13.7"
ip_network = "0.4.1"

# Websocket related dependencies.
tokio-tungstenite = { version = "0.27.0", features = ["rustls-tls-native-roots", "url"], optional = true }
Expand Down
28 changes: 27 additions & 1 deletion src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ use crate::{
notification, request_response, UserProtocol,
},
transport::{
manager::limits::ConnectionLimitsConfig, tcp::config::Config as TcpConfig,
manager::{limits::ConnectionLimitsConfig, IpDialingMode},
tcp::config::Config as TcpConfig,
KEEP_ALIVE_TIMEOUT, MAX_PARALLEL_DIALS,
},
types::protocol::ProtocolName,
Expand Down Expand Up @@ -125,6 +126,9 @@ pub struct ConfigBuilder {
/// Close the connection if no substreams are open within this time frame.
keep_alive_timeout: Duration,

/// IP dialing mode.
ip_dialing_mode: IpDialingMode,

/// Use system's DNS config.
use_system_dns_config: bool,
}
Expand Down Expand Up @@ -160,6 +164,7 @@ impl ConfigBuilder {
known_addresses: Vec::new(),
connection_limits: ConnectionLimitsConfig::default(),
keep_alive_timeout: KEEP_ALIVE_TIMEOUT,
ip_dialing_mode: IpDialingMode::All,
use_system_dns_config: false,
}
}
Expand Down Expand Up @@ -282,6 +287,23 @@ impl ConfigBuilder {
self
}

/// Set the ip dialing mode.
///
/// When the private IP is enabled, litep2p will attempt to dial local addresses.
/// This is useful for testing or when you want to preserve local connections.
///
/// However, for production use, it is recommended to disable the private IP dialing
/// to avoid unnecessary local traffic. Furthermore, it is not recommended
/// to enable private IP dialing when running a validator in a cloud provider, as this behavior
/// might be misinterpreted by the cloud provider's network policies as port scanning.
///
/// Address allocation for private networks is specified by
/// [RFC1918](https://tools.ietf.org/html/rfc1918)).
pub fn with_ip_dialing_mode(mut self, mode: IpDialingMode) -> Self {
self.ip_dialing_mode = mode;
self
}

/// Set DNS resolver according to system configuration instead of default (Google).
pub fn with_system_resolver(mut self) -> Self {
self.use_system_dns_config = true;
Expand Down Expand Up @@ -317,6 +339,7 @@ impl ConfigBuilder {
known_addresses: self.known_addresses,
connection_limits: self.connection_limits,
keep_alive_timeout: self.keep_alive_timeout,
ip_dialing_mode: self.ip_dialing_mode,
use_system_dns_config: self.use_system_dns_config,
}
}
Expand Down Expand Up @@ -381,6 +404,9 @@ pub struct Litep2pConfig {
/// Close the connection if no substreams are open within this time frame.
pub(crate) keep_alive_timeout: Duration,

/// IP dialing mode.
pub(crate) ip_dialing_mode: IpDialingMode,

/// Use system's DNS config.
pub(crate) use_system_dns_config: bool,
}
2 changes: 0 additions & 2 deletions src/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,6 @@ pub enum Error {
Timeout,
#[error("Invalid state transition")]
InvalidState,
#[error("DNS address resolution failed")]
DnsAddressResolutionFailed,
#[error("Transport error: `{0}`")]
TransportError(String),
#[cfg(feature = "quic")]
Expand Down
2 changes: 2 additions & 0 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,7 @@ impl Litep2p {
bandwidth_sink.clone(),
litep2p_config.max_parallel_dials,
litep2p_config.connection_limits,
litep2p_config.ip_dialing_mode,
);

// add known addresses to `TransportManager`, if any exist
Expand Down Expand Up @@ -642,6 +643,7 @@ mod tests {
.with_notification_protocol(config1)
.with_notification_protocol(config2)
.with_libp2p_ping(ping_config)
.with_ip_dialing_mode(crate::transport::manager::IpDialingMode::All)
.build();

let peer = PeerId::random();
Expand Down
1 change: 1 addition & 0 deletions src/protocol/libp2p/identify.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -474,6 +474,7 @@ mod tests {
..Default::default()
})
.with_libp2p_identify(identify_config)
.with_ip_dialing_mode(crate::transport::manager::IpDialingMode::All)
.build();

(Litep2p::new(config).unwrap(), identify, peer)
Expand Down
3 changes: 2 additions & 1 deletion src/protocol/libp2p/kademlia/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1257,7 +1257,7 @@ mod tests {
codec::ProtocolCodec,
crypto::ed25519::Keypair,
transport::{
manager::{limits::ConnectionLimitsConfig, TransportManager},
manager::{limits::ConnectionLimitsConfig, IpDialingMode, TransportManager},
KEEP_ALIVE_TIMEOUT,
},
types::protocol::ProtocolName,
Expand All @@ -1281,6 +1281,7 @@ mod tests {
BandwidthSink::new(),
8usize,
ConnectionLimitsConfig::default(),
IpDialingMode::All,
);

let peer = PeerId::random();
Expand Down
4 changes: 3 additions & 1 deletion src/protocol/mdns.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -365,7 +365,7 @@ mod tests {
use super::*;
use crate::{
crypto::ed25519::Keypair,
transport::manager::{limits::ConnectionLimitsConfig, TransportManager},
transport::manager::{limits::ConnectionLimitsConfig, IpDialingMode, TransportManager},
BandwidthSink,
};
use futures::StreamExt;
Expand All @@ -384,6 +384,7 @@ mod tests {
BandwidthSink::new(),
8usize,
ConnectionLimitsConfig::default(),
IpDialingMode::All,
);

let mdns1 = Mdns::new(
Expand All @@ -406,6 +407,7 @@ mod tests {
BandwidthSink::new(),
8usize,
ConnectionLimitsConfig::default(),
IpDialingMode::All,
);

let mdns2 = Mdns::new(
Expand Down
3 changes: 2 additions & 1 deletion src/protocol/notification/tests/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ use crate::{
InnerTransportEvent, ProtocolCommand, TransportService,
},
transport::{
manager::{limits::ConnectionLimitsConfig, TransportManager},
manager::{limits::ConnectionLimitsConfig, IpDialingMode, TransportManager},
KEEP_ALIVE_TIMEOUT,
},
types::protocol::ProtocolName,
Expand All @@ -57,6 +57,7 @@ fn make_notification_protocol() -> (
BandwidthSink::new(),
8usize,
ConnectionLimitsConfig::default(),
IpDialingMode::All,
);

let peer = PeerId::random();
Expand Down
3 changes: 2 additions & 1 deletion src/protocol/request_response/tests.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ use crate::{
},
substream::Substream,
transport::{
manager::{limits::ConnectionLimitsConfig, TransportManager},
manager::{limits::ConnectionLimitsConfig, IpDialingMode, TransportManager},
KEEP_ALIVE_TIMEOUT,
},
types::{RequestId, SubstreamId},
Expand All @@ -55,6 +55,7 @@ fn protocol() -> (
BandwidthSink::new(),
8usize,
ConnectionLimitsConfig::default(),
IpDialingMode::All,
);

let peer = PeerId::random();
Expand Down
Loading
Loading