go-ipfs dials out of addresses that are not in Addresses.Swarm

[pruflyos]

Version information:

go-ipfs version: 0.4.10- Repo version: 5 System version: amd64/linux Golang version: go1.8.3

Type:

Bug

Severity:

Medium

Description:

go-ipfs should only dial out of addresses that are used in Addresses.Swarm.

---

Old description: While you can configure on which addresses Swarm listens, ipfs daemon uses all available addresses/devices to connect to other peers. It would be great to be able to restrict the use to certain devices (network interfaces) only, e.g. tun0.

This is especially helpful if you want to setup a cjdns-only node, which only connects via the cjdns network (tun0). (https://github.com/cjdelisle/cjdns)

[whyrusleeping]

@pruflyos You can listen on a specific ip address, for example, if you want to just listen on your cjdns address, you can simple add /ip6/fc00..../tcp/4001 as your only swarm address.

[Kubuxu]

This is how most of the software manages this. @pruflyos Is it sufficient solution?

[Stebalien]

I think the issue is that ipfs will dial peers over any interface.

workarounds

• If you know what routes your interface serves, you can use AddrFilters to filter out all IP addresses not routed over that interface.
• If you're using linux, you can setup a network namespace fairly easily using ip netns.
• You can run ipfs under a special user and use firewall rules to forbid outbound connections from that user over any interface except, e.g., tun0. This is probably the most cross-platform solution.

[Kubuxu]

I don't think it will dial peers over any interface, but I am not 100% sure.

If it does it should be fixed, we used to have similar problem with past (with utp turning itself on). It was DefaultDialer that was an issue.

[Stebalien]

@Kubuxu I'd be very surprised if we make an attempt to avoid dialing peers over interfaces on which we're not listening. We'd have to check routing tables.

[Kubuxu]

We use reuseport and can specify source addresses for dialing, if we are doing it right we should be able to dial only from IPs we are bound to and this would prevent us from using other interfaces.

[Stebalien]

Ah, I didn't realize that. You're right (I think).

[pruflyos]

Here's my configuration. However go-ipfs is dialing over any interface available right now.

"Addresses": {
    "Swarm": [
      "/ip6/fcXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/tcp/4001"
    ],
    "API": "/ip4/127.0.0.1/tcp/5001",
    "Gateway": "/ip4/127.0.0.1/tcp/8080"
  },

I tried all the workarounds mentioned already, but only the 3rd one (special user + iptables -m owner) seems to be practical right now (for me).

[Kubuxu]

@pruflyos for cjdns there is https://github.com/prurigro/cjdnsify it might work.

[whyrusleeping]

@pruflyos ah, the dialing out is the problem... Thats very interesting...

[Kubuxu]

Looking at it:

There are two bugs here, one with go-reuseport and one without. Fixing the former is trivial, fixing the latter requires to dive into go-reuseport.

It seems it is this time of a year again.

[Kubuxu]

Part of the fix https://github.com/libp2p/go-tcp-transport/pull/9

[Kubuxu]

It is caused by fallbackDialer in go-libp2p-conn, I have no idea why it triggers for the TCP sockets.