Expose libp2p connection filtering

[jennijuju]

Checklist

• This is not a new feature or an enhancement to the Filecoin protocol. If it is, please open an FIP issue.
• This is not a new feature request. If it is, please file a feature request instead.
• This is not brainstorming ideas. If you have an idea you'd like to discuss, please open a new discussion on the lotus forum and select the category as Ideas.
• I have a specific, actionable, and well motivated improvement to propose.

Lotus component

• lotus daemon - chain sync
• lotus miner - mining and block production
• lotus miner/worker - sealing
• lotus miner - proving(WindowPoSt)
• lotus miner/market - storage deal
• lotus miner/market - retrieval deal
• lotus miner/market - data transfer
• lotus client
• lotus JSON-RPC API
• lotus message management (mpool)
• Other

Improvement Suggestion

this ipfs issue is getting lotus nodes undesired connection as well, i.e from one peer:

##########################################################################
#               Netscan detected from host  157.90.131.158               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Wed Nov 24 03:10:34 2021 TCP  157.90.131.158 42955 =>     10.10.34.39 39239
Wed Nov 24 03:10:37 2021 TCP  157.90.131.158 42955 =>    192.168.1.70 49999
Wed Nov 24 03:10:41 2021 TCP  157.90.131.158 42955 =>  192.168.50.254 58582
Wed Nov 24 03:10:42 2021 TCP  157.90.131.158 42955 =>  192.168.50.254 58582
Wed Nov 24 03:10:37 2021 TCP  157.90.131.158 42955 =>   172.18.40.116 34687
Wed Nov 24 03:11:25 2021 TCP  157.90.131.158 42955 =>      10.80.63.1 30967

lotus should be able to filter those connection out

[f8-ptrk]

just happened again - would be nice to have this implemented as it creates problems in properly monitored hosted environments.

[jleni]

we are getting frequent alerts and portscanning reports due to this. In some cases, providers maybe shutdown nodes because of this.
I would suggest increasing the priority of this.

[placer14]

I have a few questions, just to be sure we agree on what we're doing here:

1. It's unclear what is desired when a connection is "filtered". Do you have context here? What would the end result look like?
2. Also, by what index should we "filter" a libp2p connection? Your example shows IPs and ports, but there are also peer IDs. Should I assume just IPs for now? And if so, do we want to enum each IP as input, maybe support masked IP ranges?
3. What does input look like. Is there an obvious config location where this might live? Is this a CLI option? Maybe want to define an example input?

/cc @jennijuju @f8-ptrk @jleni 🤝

[jennijuju]

@placer14 I think it should go in

lotus/node/config/def.go

Line 44 in 6f316cd

return Common{

@magik6k @@aschmahmann could you please provide more directions?

[aschmahmann]

@placer14 you're probably looking to emulate something like https://github.com/ipfs/go-ipfs/blob/master/docs/config.md#swarmaddrfilters. Probably the most common set of filters are the ones for disallowing private network connections (i.e. the server profile https://github.com/ipfs/go-ipfs-config/blob/ce20398638c38d2b3961dfc0854f2f7237c39964/profile.go#L48).

Here is how the libp2p option is instantiated in go-ipfs https://github.com/ipfs/go-ipfs/blob/91c52657166bcf86f2476926e4fe56694dc26562/core/node/libp2p/addrs.go#L13 using the structs in https://github.com/ipfs/go-ipfs/blob/956c24856d50770620eb2f8b42f478aca8049560/core/node/libp2p/filters.go basically for backwards compatibility for how we manipulate the address filters on the fly. You could probably use https://github.com/libp2p/go-libp2p/blob/7a35d0df9769c1d5b7ca0a1e83eb0fe0e67bc1f5/p2p/net/conngater/conngater.go#L46 though, or some more generic ConnectionGater.