`ipfs swarm filters` seems blacklist-only

ipfs / kubo

An IPFS implementation in Go

https://docs.ipfs.tech/how-to/command-line-quick-start/

Other

16.17k stars 3.01k forks source link

`ipfs swarm filters` seems blacklist-only #1972

Open nonchip opened 8 years ago

nonchip commented 8 years ago

there should really be a whitelist (maybe followed by a blacklist, or some sort of rule priority system), because it's virtually impossible to do any local area swarms using the current implementation.

jbenet commented 8 years ago

@nonchip yeah, the original design called for filters to be applied in the typical ordering kind of way.

ALLOW <filter>
DENY <filter>
ALLOW <filter>
ALLOW <filter>
DENY <filter>

@whyrusleeping people do want this. let's move to this?

nonchip commented 8 years ago

@jbenet like iptables does it? sounds good. and relatively easy to implement. just add the allow/deny bool in the list of filters, and return that bool as soon as a filter matches. I'm pretty bad in golang, but pseudocode would be:

struct filter={IpNet mask, bool policy}
list filters=[struct filter]
foreach filters as filter
  if filter.mask matches address
    return filter.policy
return true // fallback for no (or no matching) filters

so e.g. a pure whitelist would be:

ALLOW ip
ALLOW ip
...
DENY ::
DENY 0.0.0.0

(denying everything at the end and causing the return true fallback to be never reached)

jbenet commented 8 years ago

Yep that's right.

What would make it easier for people to contribute to things like this? Have noticed a larger than usual ratio of issues to PRs on go-ipfs. Is the code base too daunting? On Tue, Nov 17, 2015 at 23:39 Kyra Zimmer notifications@github.com wrote:

@jbenet https://github.com/jbenet like iptables does it? sounds good. and relatively easy to implement. just add the allow/deny bool in the list of filters, and return that bool as soon as a filter matches. I'm pretty bad in golang, but pseudocode would be:

foreach filters as filter if filter.mask matches address return filter.policy return true // fallback for no (or no matching) filters

so e.g. a pure whitelist would be:

ALLOW ip ALLOW ip ... DENY :: DENY 0.0.0.0

(denying everything at the end and causing the return true fallback to be never reached)

— Reply to this email directly or view it on GitHub https://github.com/ipfs/go-ipfs/issues/1972#issuecomment-157632849.

slothbag commented 8 years ago

In my desperation to cut down on bandwidth usage (see https://github.com/ipfs/go-ipfs/issues/2489) I have started blacklisting (swarm filters) ipfs nodes which seem to send/recv more than the average with my node.

A whitelist would probably be better, that way I can block everyone except for a handful of trusted nodes.

flyingzumwalt commented 7 years ago

Please implement this. It's really important for gateways to be able to whitelist content.

Examples:

I want to mirror wikipedia, but I'm not interested in being a general ipfs gateway for everyone's content
I'm a university library that wants to be an ipfs gateway for any ipfs content that's in our collection but we explicitly don't want to serve anything else

In both cases, a blacklist doesn't cut it. You want to whitelist a small amount of hashes and decline all other requests.

Will https://github.com/libp2p/go-maddr-filter/pull/1 cover this for us?

Kubuxu commented 7 years ago

@flyingzumwalt this is not content filter but connection filter.

makew0rld commented 5 years ago

Any movement on this? It would be very useful.

Stebalien commented 5 years ago

Not yet. This would require some support in libp2p that we don't currently have. See: https://github.com/libp2p/go-libp2p-net/issues/25#issuecomment-433382317.