libp2p · acul71 · Oct 24, 2024 · Oct 24, 2024 · Oct 29, 2024 · Oct 30, 2024
@@ -85,6 +85,7 @@
     "test:webkit": "aegir test -t browser -- --browser webkit"
   },
   "dependencies": {
+    "@chainsafe/netmask": "^2.0.0",
     "@libp2p/crypto": "^5.0.6",
     "@libp2p/interface": "^2.2.0",
     "@libp2p/interface-internal": "^2.0.10",

@@ -1,6 +1,8 @@
 import { PeerMap } from '@libp2p/peer-collections'
 import { safelyCloseConnectionIfUnused } from '@libp2p/utils/close'
+import { multiaddrToIpNet } from '@libp2p/utils/multiaddrToIpNet'
 import { MAX_CONNECTIONS } from './constants.js'
+import type { IpNet } from '@chainsafe/netmask'
 import type { Libp2pEvents, Logger, ComponentLogger, TypedEventTarget, PeerStore, Connection } from '@libp2p/interface'
 import type { ConnectionManager } from '@libp2p/interface-internal'
 import type { Multiaddr } from '@multiformats/multiaddr'
@@ -29,13 +31,13 @@ export class ConnectionPruner {
   private readonly maxConnections: number
   private readonly connectionManager: ConnectionManager
   private readonly peerStore: PeerStore
-  private readonly allow: Multiaddr[]
+  private readonly allow: IpNet[]
   private readonly events: TypedEventTarget<Libp2pEvents>
   private readonly log: Logger
 
   constructor (components: ConnectionPrunerComponents, init: ConnectionPrunerInit = {}) {
     this.maxConnections = init.maxConnections ?? defaultOptions.maxConnections
-    this.allow = init.allow ?? defaultOptions.allow
+    this.allow = (init.allow ?? []).map(ma => multiaddrToIpNet(ma))
     this.connectionManager = components.connectionManager
     this.peerStore = components.peerStore
     this.events = components.events
@@ -107,8 +109,8 @@ export class ConnectionPruner {
     for (const connection of sortedConnections) {
       this.log('too many connections open - closing a connection to %p', connection.remotePeer)
       // check allow list
-      const connectionInAllowList = this.allow.some((ma) => {
-        return connection.remoteAddr.toString().startsWith(ma.toString())
+      const connectionInAllowList = this.allow.some((ipNet) => {
+        return ipNet.contains(connection.remoteAddr.nodeAddress().address)
       })
 
       // Connections in the allow list should be excluded from pruning

@@ -1,5 +1,7 @@
+import { type IpNet } from '@chainsafe/netmask'
 import { ConnectionClosedError, InvalidMultiaddrError, InvalidParametersError, InvalidPeerIdError, NotStartedError, start, stop } from '@libp2p/interface'
 import { PeerMap } from '@libp2p/peer-collections'
+import { multiaddrToIpNet } from '@libp2p/utils/multiaddrToIpNet'
 import { RateLimiter } from '@libp2p/utils/rate-limiter'
 import { type Multiaddr, type Resolver, multiaddr } from '@multiformats/multiaddr'
 import { dnsaddrResolver } from '@multiformats/multiaddr/resolvers'
@@ -176,8 +178,8 @@ export interface DefaultConnectionManagerComponents {
 export class DefaultConnectionManager implements ConnectionManager, Startable {
   private started: boolean
   private readonly connections: PeerMap<Connection[]>
-  private readonly allow: Multiaddr[]
-  private readonly deny: Multiaddr[]
+  private readonly allow: IpNet[]
+  private readonly deny: IpNet[]
   private readonly maxIncomingPendingConnections: number
   private incomingPendingConnections: number
   private outboundPendingConnections: number
@@ -216,8 +218,8 @@ export class DefaultConnectionManager implements ConnectionManager, Startable {
     this.onDisconnect = this.onDisconnect.bind(this)
 
     // allow/deny lists
-    this.allow = (init.allow ?? []).map(ma => multiaddr(ma))
-    this.deny = (init.deny ?? []).map(ma => multiaddr(ma))
+    this.allow = init.allow != null ? this.parseIpNetList(init.allow) : []
+    this.deny = init.deny != null ? this.parseIpNetList(init.deny) : []
 
     this.incomingPendingConnections = 0
     this.maxIncomingPendingConnections = init.maxIncomingPendingConnections ?? defaultOptions.maxIncomingPendingConnections
@@ -237,7 +239,7 @@ export class DefaultConnectionManager implements ConnectionManager, Startable {
       logger: components.logger
     }, {
       maxConnections: this.maxConnections,
-      allow: this.allow
+      allow: init.allow != null ? init.allow.map(a => multiaddr(a)) : undefined
     })
 
     this.dialQueue = new DialQueue(components, {
@@ -265,6 +267,16 @@ export class DefaultConnectionManager implements ConnectionManager, Startable {
     })
   }
 
+  /**
+   * Converts a list of string representations of multiaddresses into an array of IpNet objects.
+   *
+   * @param list - An array of strings, each representing a multiaddress.
+   * @returns An array of IpNet objects parsed from the given multiaddress strings.
+   */
+  private parseIpNetList (list: string[]): IpNet[] {
+    return list.map(a => multiaddrToIpNet(a))
+  }
+
   readonly [Symbol.toStringTag] = '@libp2p/connection-manager'
 
   /**
@@ -571,7 +583,7 @@ export class DefaultConnectionManager implements ConnectionManager, Startable {
   async acceptIncomingConnection (maConn: MultiaddrConnection): Promise<boolean> {
     // check deny list
     const denyConnection = this.deny.some(ma => {
-      return maConn.remoteAddr.toString().startsWith(ma.toString())
+      return ma.contains(maConn.remoteAddr.nodeAddress().address)
     })
 
     if (denyConnection) {
@@ -580,8 +592,8 @@ export class DefaultConnectionManager implements ConnectionManager, Startable {
     }
 
     // check allow list
-    const allowConnection = this.allow.some(ma => {
-      return maConn.remoteAddr.toString().startsWith(ma.toString())
+    const allowConnection = this.allow.some(ipNet => {
+      return ipNet.contains(maConn.remoteAddr.nodeAddress().address)
     })
 
     if (allowConnection) {

@@ -219,6 +219,39 @@ describe('connection-pruner', () => {
     expect(shortestLivedWithLowestTagSpy).to.have.property('callCount', 1)
   })
 
+  it('should correctly parse and store allow list as IpNet objects in ConnectionPruner', () => {
+    const mockInit = {
+      allow: [
+        multiaddr('/ip4/83.13.55.32/ipcidr/32'),
+        multiaddr('/ip4/83.13.55.32'),
+        multiaddr('/ip4/192.168.1.1/ipcidr/24')
+      ]
+    }
+
+    // Create a ConnectionPruner instance
+    const pruner = new ConnectionPruner(components, mockInit)
+
+    // Expected IpNet objects for comparison
+    const expectedAllowList = [
+      {
+        mask: new Uint8Array([255, 255, 255, 255]),
+        network: new Uint8Array([83, 13, 55, 32])
+      },
+      {
+        mask: new Uint8Array([255, 255, 255, 255]),
+        network: new Uint8Array([83, 13, 55, 32])
+      },
+      {
+        mask: new Uint8Array([255, 255, 255, 0]),
+        network: new Uint8Array([192, 168, 1, 0])
+      }
+    ]
+
+    // Verify that the allow list in the pruner matches the expected IpNet objects
+    // eslint-disable-next-line @typescript-eslint/dot-notation
+    expect(pruner['allow']).to.deep.equal(expectedAllowList)
+  })
+
   it('should not close connection that is on the allowlist when pruning', async () => {
     const max = 2
     const remoteAddr = multiaddr('/ip4/83.13.55.32/tcp/59283')
@@ -241,6 +274,7 @@ describe('connection-pruner', () => {
     for (let i = 0; i < max; i++) {
       const connection = stubInterface<Connection>({
         remotePeer: peerIdFromPrivateKey(await generateKeyPair('Ed25519')),
+        remoteAddr: multiaddr('/ip4/127.0.0.1/tcp/12345'),
         streams: []
       })
       const spy = connection.close

@@ -33,6 +33,48 @@ describe('Connection Manager', () => {
     await stop(connectionManager, libp2p)
   })
 
+  it('should correctly parse and store allow and deny lists as IpNet objects in ConnectionManager', () => {
+    // Define common IPs and CIDRs for reuse
+    const ipAllowDeny = [
+      '/ip4/83.13.55.32', // Single IP address
+      '/ip4/83.13.55.32/ipcidr/32', // CIDR notation for a single IP
+      '/ip4/192.168.1.1/ipcidr/24' // CIDR notation for a network
+    ]
+
+    // Initialize mock input for the allow and deny lists
+    const mockInit = {
+      allow: [...ipAllowDeny],
+      deny: [...ipAllowDeny]
+    }
+
+    // Create an instance of the DefaultConnectionManager with the mock initialization
+    const connectionManager = new DefaultConnectionManager(components, mockInit)
+
+    // Define the expected IpNet objects that should result from parsing the allow and deny lists
+    const expectedIpNets = [
+      {
+        mask: new Uint8Array([255, 255, 255, 255]), // Netmask for a single IP address
+        network: new Uint8Array([83, 13, 55, 32]) // Network address for '83.13.55.32'
+      },
+      {
+        mask: new Uint8Array([255, 255, 255, 255]), // Netmask for a single IP address
+        network: new Uint8Array([83, 13, 55, 32]) // Network address for '83.13.55.32'
+      },
+      {
+        mask: new Uint8Array([255, 255, 255, 0]), // Netmask for a /24 CIDR block
+        network: new Uint8Array([192, 168, 1, 0]) // Network address for '192.168.1.0'
+      }
+    ]
+
+    // Test that the 'allow' list is correctly parsed and stored as IpNet objects
+    // eslint-disable-next-line @typescript-eslint/dot-notation
+    expect(connectionManager['allow']).to.deep.equal(expectedIpNets)
+
+    // Test that the 'deny' list is correctly parsed and stored as IpNet objects
+    // eslint-disable-next-line @typescript-eslint/dot-notation
+    expect(connectionManager['deny']).to.deep.equal(expectedIpNets)
+  })
+
   it('should fail if the connection manager has mismatched connection limit options', async () => {
     await expect(
       createLibp2p({

@@ -131,6 +131,10 @@
     "./tracked-map": {
       "types": "./dist/src/tracked-map.d.ts",
       "import": "./dist/src/tracked-map.js"
+    },
+    "./multiaddrToIpNet": {
+      "types": "./dist/src/multiaddrToIpNet.d.ts",
+      "import": "./dist/src/multiaddrToIpNet.js"
     }
   },
   "eslintConfig": {
@@ -155,6 +159,7 @@
     "test:electron-main": "aegir test -t electron-main"
   },
   "dependencies": {
+    "@chainsafe/netmask": "^2.0.0",
     "@chainsafe/is-ip": "^2.0.2",
     "@libp2p/crypto": "^5.0.6",
     "@libp2p/interface": "^2.2.0",

@@ -0,0 +1,32 @@
+import { multiaddr } from '@multiformats/multiaddr'
+import { convertToIpNet } from '@multiformats/multiaddr/convert'
+import type { IpNet } from '@chainsafe/netmask'
+import type { Multiaddr } from '@multiformats/multiaddr'
+
+/**
+ * Converts a multiaddr string or object to an IpNet object.
+ * If the multiaddr doesn't include /ipcidr/32, it will encapsulate with /ipcidr/32.
+ *
+ * @param {string | Multiaddr} ma - The multiaddr string or object to convert.
+ * @returns {IpNet} The converted IpNet object.
+ * @throws {Error} Throws an error if the multiaddr is not valid.
+ */
+export function multiaddrToIpNet (ma: string | Multiaddr): IpNet {
+  try {
+    let parsedMa: Multiaddr
+    if (typeof ma === 'string') {
+      parsedMa = multiaddr(ma)
+    } else {
+      parsedMa = ma
+    }
+
+    // Check if /ipcidr is already present, if not encapsulate with /ipcidr/32
+    if (!parsedMa.protoNames().includes('ipcidr')) {
+      parsedMa = parsedMa.encapsulate('/ipcidr/32')
+    }
+
+    return convertToIpNet(parsedMa)
+  } catch (error) {
+    throw new Error(`Can't convert to IpNet, Invalid multiaddr format: ${ma}`)
+  }
+}
@@ -0,0 +1,18 @@
+/* eslint-env mocha */
+
+import { expect } from 'aegir/chai'
+import { multiaddrToIpNet } from '../src/multiaddrToIpNet.js'
+
+describe('multiaddrToIpNet', () => {
+  it('should convert a simple multiaddr to an IpNet', () => {
+    const ma = '/ip4/127.0.0.1'
+    const ipNet = multiaddrToIpNet(ma)
+    expect(ipNet.toString()).to.equal('127.0.0.1/32')
+  })
+
+  it('should convert a multiaddr with a ipcidr to an IpNet', () => {
+    const ma = '/ip4/127.0.0.1/ipcidr/32'
+    const ipNet = multiaddrToIpNet(ma)
+    expect(ipNet.toString()).to.equal('127.0.0.1/32')
+  })
+})