Concept ACK, I think this makes onlynet closer to what users expect, clearing up all kind of exceptions that have to be documented. Thanks!

With this PR, one could use for example -onlynet=ipv6 -onion=127.0.0.1:9050 and Bitcoin Core will not automatically connect to .onion hosts. However one could later use the addnode RPC to manually connect to an .onion host. This matches the current behavior in master wrt other networks, e.g. -onlynet=ipv6 and later addnode to an ipv4 host.

(Feel free to ignore my comments until you re-push.)

Do you plan to add functional tests like in #22651?

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #24205 (net, init, test: network reachability testing and safety improvements by jonatack)
• #15423 (torcontrol: Query Tor for correct -onion configuration by luke-jr)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

Do you plan to add functional tests like in #22651?

It would be good. I wonder how to test this deterministically. I guess I would want to have an addrman with just addresses from one network and use onlynet another network and check that a connection is never attempted, or something like that.

Concept ACK

Started testing today and need to test lot of combinations with onlynet. Sharing things that I observed during basic tests:

1. onlynet=i2p with proxy=127.0.0.1:9050 does not create any outbound connections to onion nodes using PR branch however it connects to onion node with Master branch. ✅

   1.1 Run node 1:

   bitcoind -regtest=1 -port=18333 -rpcport=18222 -rpcuser=user1 -rpcpassword=pass1 -datadir=/home/prayank/node1 -debug=net
   

   1.2 Run node 2:

   bitcoind -regtest=1 -port=18777 -rpcport=18666 -rpcuser=user2 -rpcpassword=pass2 -onlynet=i2p -i2psam=127.0.0.1:7656 -proxy=127.0.0.1:9050 -datadir=/home/prayank/node2 -debug=net
   

   1.3 Copy onion address for node 1 and add it in peers.dat for node2:

   bitcoin-cli -rpcport=18666 -rpcuser=user2 -rpcpassword=pass2 addpeeraddress "6w724ckwacu2sdfitjr6otzfi4hfutxqqcc5mju2gc2ufguysb447gqd.onion" 18444
   

   1.4 Wait for few seconds and node 2 will create an outbound connection with node 1 on Master branch. It should fail on PR branch.

   Master branch: https://pastebin.com/raw/krvahBf7
   PR branch: https://pastebin.com/raw/P6uwLtxf

2. Onion service and i2p service are not created when proxy=127.0.0.1:9050 is used. (Master and PR branch) ⚠️

Concept ACK! Glad there's a full fix for this now.

7b821b9d4c...0ea0de6438: optimize OutboundConnectionAllowedTo() for a fast lookup coz it is called frequently, plus some rewording in the docs.

@prayank23, thanks for looking into this! So all is working as expected. -logips=1 will improve your log output a tiny bit. I also tested this manually by adding a printout inside OutboundConnectionAllowedTo(), with -onlynet=i2p -onion=127.0.0.1:9050 it is called many times with *.onion addresses and returns false as expected.

A room for improvement (out of the scope of this PR): with -onlynet=X if addrman contains a small percentage of X addresses, CConnman::ThreadOpenConnections() will loop many times trying non-X addresses which get rejected either by the existent IsReachable() check or by the newly added OutboundConnectionAllowedTo(). It takes seconds to select an I2P address for example. CAddrMan::Select() could be smarter and take a onlynets argument and somehow return addresses that only belong to the requested networks fast.

Concept ACK

Day 2 of testing onlynet

So all is working as expected

Need to test more things. onlynet=ipv6 did not work as expected today.

-logips=1 will improve your log output a tiny bit

Thanks. Will try this tomorrow.

CAddrMan::Select() could be smarter and take a onlynets argument and somehow return addresses that only belong to the requested networks fast.

Yes we can try this.

I wonder about the interactions of the new OutboundConnectionAllowedTo() with IsReachable(), which is how -onlynet also influences things - it seems complicated to have both OutboundConnectionAllowedTo() and IsReachable() doing similar things with subtle differences, and depending on the situation one or the other is effective.

My understanding is that IsReachable() will still be able to violate the -onlynet option sometimes (if -proxy , -onion in init.cpp or torcontrol.cpp call SetReachable() after the -onlynet arg was evaluated).
Because addrman acceptance is gated by IsReachable(), I think we could still accept addrs from networks excluded by -onlynet into addrman that we no longer would make outgoing connections to - leading to futile connection attempts.

Would it be possible as an alternative approach to get Reachable in line with -onlynet expectations (e.g. by moving the -onlynet block in init.cpp below the -onion and -proxy blocks and also not calling SetReachable() from torcontrol if -onlynet excludes onions?) Or would there be negative side effects with other callers of IsReachable()?

@prayank23 does the machine have an actual IPv6 connectivity? Do you see successful connections to IPv6 hosts when -onlynet= is not used? The text Network is unreachable is an actual system error, it does not come from Bitcoin Core.

Yes it was ipv6 connectivity issue. There were 2 issues: 1. One of my ISP didn't support ipv6 2. Had to change network adapter from NAT to bridged in VM. Checked connectivity on http://test-ipv6.com/

Updated logs above as ipv6 works fine. Will test onion-ipv4, onion-ipv6, i2p-ipv4, i2p-ipv6, i2p-onion and ipv6-ipv4 today.

@mzumsande, good insight! I think there are two distinct properties of a network:

1. Whether it is reachable (the current IsReachable() function). That is - do we have the means to connect to it if we wanted?
2. Whether we should choose hosts from that network for making automatic outbound connections (-onlynet=, or the newly added OutboundConnectionAllowedTo() function)

For example, a setup like -onlynet=ipv6 -onion=127.0.0.1:9050 should make the Tor network "reachable", but avoid automatically opening connections to it. However, manual connections using -connect, -addnode and -seednode to Tor hosts should be still possible, using the proxy given with -onion=. Makes sense?

Your comments make me think - should we only add addresses to addrman if they are both 1. and 2. (right now it is just 1.)? E.g.

             // Do not store addresses outside our network
-            if (fReachable)
+            if (fReachable && OutboundConnectionAllowedTo(addr))
                 vAddrOk.push_back(addr);

or also limit relay of 1. but not 2. addresses?

What about changing the limited property in the getnetworkinfo RPC reply?

I agree with @mzumsande. I find it confusing that we have two functions considering -onlynet (see how vfLimited is filled with onlynet).

It tried few combinations with onlynet and everything works as expected. Although I am still not sure about trade-offs involved in each of these. Things get even more complicated if user has incoming connections on multiple networks as discussed in IRC: https://www.erisian.com.au/bitcoin-core-dev/log-2021-09-01.html (260 2021-09-01T20:26:30)

This PR has limited scope and it does fix the issues with onlynet and proxy usage.

ACK 0ea0de6

Will reACK if suggestions discussed above are implemented and functional tests are added:

#22834 (comment)

#22834 (comment)

Also not sure why addpeeraddress returns false in this case: https://bitcoin.stackexchange.com/q/109465/

@mzumsande, @naumenkogs, if we need not make a distinction between 1. and 2. (from #22834 (comment)), then an alternative approach is possible, similar to the one described above by @mzumsande (but not quite the same).

What do you think about this: vasild@46a9a79? Note that even with that, IsReachable() does not represent exactly -onlynet.

I didn't find a place we would need to make the distinction between the ability (1) and the willingness (2) to make outbound connections to networks. Also the status quo for IsReachable() before this PR, despite the name, is a mix of 1. and 2. because it is initially set by -onlynet user preference (2) and then possibly overruled based on the means to connect to a network (1):

For example, a setup like -onlynet=ipv6 -onion=127.0.0.1:9050 should make the Tor network "reachable", but avoid automatically opening connections to it.

Is this a relevant scenario, i.e. what should be the practical consequence of a network being "reachable" in this scenario when we wouldn't do automatic connections to it?

However, manual connections using -connect, -addnode and -seednode to Tor hosts should be still possible, using the proxy given with -onion=. Makes sense?

Yes, I agree. As far as I can see, all of the manual connection code is completely independent from IsReachable, so this shouldn't be affected by any of the discussed suggestions.

Your comments make me think - should we only add addresses to addrman if they are both 1. and 2. (right now it is just 1.)

I tend to think that this would make sense. I don't see the point of storing addresses in addrman when we won't connect to them - whether this is because we cannot or because we don't want to doesn't seem crucial to me.

What do you think about this: vasild/bitcoin@46a9a79? Note that even with that, IsReachable() does not represent exactly -onlynet.

On first sight, I like this approach. I don't quite understand why it is possible to just drop the SetReachable() in torcontrol.cpp.

I have been looking into the other call sites of IsReachable() besides connection opening and addrman acceptance to see how they would be affected by possible changes:
IsPeerAddrLocalGood() and AddLocal() both call IsReachable() and therefore might be affected. Considering that they deal with the address used for self-advertising (and thus for getting incoming connections) I don't really understand why they make use of IsReachable() in the first place. Shouldn't this affect only outbound connection logic?

Concept ACK

I didn't find a place we would need to make the distinction between the ability (1) and the willingness (2) to make outbound connections to networks.

The only one I can think of is this - it would be strange to display onion as not reachable in getnetworkinfo RPC, but to be able to open manual connections to it using addnode.

Also the status quo for IsReachable() before this PR, despite the name, is a mix of 1. and 2. because it is initially set by -onlynet user preference (2) and then possibly overruled based on the means to connect to a network (1):

Yes.

For example, a setup like -onlynet=ipv6 -onion=127.0.0.1:9050 should make the Tor network "reachable", but avoid automatically opening connections to it.

Is this a relevant scenario, i.e. what should be the practical consequence of a network being "reachable" in this scenario when we wouldn't do automatic connections to it?

It would be possible to reach the network by opening a manual connection. I am not sure if this is "relevant". Maybe it is exotic use case.

What do you think about this: vasild/bitcoin@46a9a79? Note that even with that, IsReachable() does not represent exactly -onlynet.

On first sight, I like this approach. I don't quite understand why it is possible to just drop the SetReachable() in torcontrol.cpp.

Hmm, maybe that is not a good idea - if -torcontrol=... -torpassword=... are given (without any of -onlynet, -proxy or -onion) then that code would have flipped the Tor network from not reachable to reachable. Is this desirable? If yes, then instead of removing SetReachable() from torcontrol.cpp it should be made conditional: if (!onion_restricted) {. However that variable onion_restricted is local in init.cpp so it would either have to be made global (:disappointed:) or OutboundConnectionAllowedTo() used instead of it. But we are looking into that potentially more invasive patch only because the co-existence of IsReachable() and OutboundConnectionAllowedTo() is confusing...

IsPeerAddrLocalGood() and AddLocal() both call IsReachable() and therefore might be affected. Considering that they deal with the address used for self-advertising (and thus for getting incoming connections) I don't really understand why they make use of IsReachable() in the first place. Shouldn't this affect only outbound connection logic?

I think the logic is this - if a network is not reachable then we cannot accept connections from it. "Reachable" in the broader English word meaning, not the stricter -onlynet meaning. For example, a host/OS may have support for both IPv4 and IPv6 but its ISP may only support IPv4. So, an operator would run -onlynet=ipv4 to avoid attempting connections to IPv6 hosts and from advertising an IPv6 address to which the rest of the world cannot connect.

051c2554ca...0eea83a85e: rebase due to conflicts

Invalidates ACK from @prayank23

utACK 0eea83a