net: don't bind on 0.0.0.0 if binds are restricted to Tor #20234
Conversation
|
How does Tor continue to function after this? |
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones: If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
Concept ACK |
src/net.cpp
Outdated
| fBound |= Bind(addrBind.m_service, (BF_EXPLICIT | BF_REPORT_ERROR), addrBind.m_flags); | ||
| } | ||
| if (binds.empty() && whiteBinds.empty()) { | ||
| for (const auto& addr_bind : options.onion_binds) { | ||
| fBound |= Bind(addr_bind, BF_EXPLICIT | BF_REPORT_ERROR | BF_DONT_ADVERTISE, NetPermissionFlags::PF_NONE); |
There was a problem hiding this comment.
Yeah. #19991 (comment)
I think it is reasonable to inform the user that his request couldn't be fulfilled. E.g. if he specifies -bind=1.2.3.4:8334=onion and we can't bind on that address and port.
There was a problem hiding this comment.
@hebasto WDYT, just an oversight?
Good catch! I think the BF_REPORT_ERROR flag was missed for no reason.
There was a problem hiding this comment.
Stripping down this PR I had to remove the BF_REPORT_ERROR flag.
If one runs two bitcoinds with explicit -bind=... that do not conflict one may expect that they would start successfully. The functional testing framework expects this! However they both try to bind on the same default onion target 127.0.0.1:8334, one of them succeeds and the other fails. That failure is muted by the absence of BF_REPORT_ERROR. Apparently no test cares whether that bind has failed or not. To observe the problem, in master, add BF_REPORT_ERROR and run ./test/functional/test_runner.py, observe random tests failures with errors like "unable to bind to 127.0.0.1:8334".
(the full version of this PR used to fix that and thus the presence of BF_REPORT_ERROR did not cause tests to brick)
|
@vasild, like any contributor, is part of "The Bitcoin Core developers" |
|
Unless I am misunderstanding this PR, this will break tor configuration for any user with an explicit bind configuration. Not binding to localhost is extremely weird, I can't think of any other program I've encountered doing that. Is there an actual usecase for not binding localhost? Might it be better to just document that localhost binds are implicit and then, if there is a need for not binding to localhost, have an argument to specifically disable that? In other words, I think what you're actually pointing to is just a doc bug where the documentation isn't pedantically correct, but where the behaviour is what 99.999% of users would prefer. If so-- change the doc. |
You found a bug! Not in this PR, but in 0.20.1:
https://github.com/bitcoin/bitcoin/blob/v0.20.1/src/torcontrol.cpp#L539 but then it does not listen on That bug was fixed by #19991 by removing the hardcoded When only |
|
rpc bind is a separate configuration from 'bind', as is whitebind, perhaps the onion should be its own bind statement (that users normally never touch) |
|
Fixed the test failure on Travis (confirmed on my local fork). |
One could expect binding to the default
If perception of an option is ambiguous the option docs require improvement, no?
Again, binding to the default I understand, that all statements above look like |
I think all 3 of For example, if |
This behavior seems to need to be properly documented as well :) |
|
This PR seems to have derailed in direction of documentation, but I think the code needs to be changed. Take any popular server - Apache, PostgreSQL, MySQL, OpenSSH, Tor, Bitcoin Core 0.20.1 (but not the current Apache, for example has The current |
|
The 0.21 milestone has been removed for now. And this is not a regression anyway, AFAICT |
It looks to me that they are. I find the current Could it be possible to introduce a new option Both Here a suggestion of the documentation that could be then, which I think would be clearer: Unfortunately, I only now came to know of to the Edit: gmaxwell suggested similar (#20234 (comment)) |
|
Code review ACK a6b8fc9 |
This new behavior is confusing (at least to me), and I don't agree with it. |
|
ACK a6b8fc9 |
|
@hebasto, that is similar to how it operates with other networks - if the user restricts the binds to only some networks, then all other networks are ditched (affected) wrt listening/binding. For example, assume a machine has an IPv4 address " Would this change to -bind=<addr>[:<port>][=onion]
- Bind to given address...
+ Bind only to given address... |
Right. But my concerns are not about binding itself, rather about behavior that users might expect -- the distinguishing incoming Tor connections. |
Right, |
|
I see. So it is about judging which expectation to fail:
|
|
@hebasto, what do you think about the second change in this PR? That is - the second item from the PR description: "* If only |
sgtm |
c272abb to
a004833
Compare
|
|
Done! Updated PR title and description. |
|
Concept ACK |
The semantic of `-bind` is to restrict the binding only to some address. If not specified, then the user does not care and we bind to `0.0.0.0`. If specified then we should honor the restriction and bind only to the specified address. Before this change, if no `-bind` is given then we would bind to `0.0.0.0:8333` and to `127.0.0.1:8334` (incoming Tor) which is ok - the user does not care to restrict the binding. However, if only `-bind=addr:port=onion` is given (without ordinary `-bind=`) then we would bind to `addr:port` _and_ to `0.0.0.0:8333` in addition. Change the above to not do the additional bind: if only `-bind=addr:port=onion` is given (without ordinary `-bind=`) then bind to `addr:port` (only) and consider incoming connections to that as Tor and do not advertise it. I.e. a Tor-only node.
|
|
|
Code review ACK 2feec3c |
|
utACK 2feec3c per |
There was a problem hiding this comment.
ACK 2feec3c, tested on Linux Mint 20.1 (x86_64):
$ src/bitcoind -signet
...
2021-07-08T14:50:35Z [init] Bound to 127.0.0.1:38334
2021-07-08T14:50:35Z [init] Bound to [::]:38333
2021-07-08T14:50:35Z [init] Bound to 0.0.0.0:38333
...
$ src/bitcoind -signet -bind=127.0.0.1:38334=onion
...
2021-07-08T14:52:02Z [init] Bound to 127.0.0.1:38334
...
The semantic of
-bindis to restrict the binding only to some address.If not specified, then the user does not care and we bind to
0.0.0.0.If specified then we should honor the restriction and bind only to the
specified address.
Before this change, if no
-bindis given then we would bind to0.0.0.0:8333and to127.0.0.1:8334(incoming Tor) which is ok -the user does not care to restrict the binding.
However, if only
-bind=addr:port=onionis given (without ordinary-bind=) then we would bind toaddr:portand to0.0.0.0:8333inaddition.
Change the above to not do the additional bind: if only
-bind=addr:port=onionis given (without ordinary-bind=) then bindto
addr:port(only) and consider incoming connections to that as Torand do not advertise it. I.e. a Tor-only node.