src/exporter/client: Don't attempt connecting to local ip addresses

Cargo.lock

@@ -1190,6 +1190,7 @@ dependencies = [
  "futures-timer 3.0.2",
  "libp2p",
  "libp2p-kad",
+ "log",
  "prometheus",
  "structopt",
  "tide",

Cargo.toml

@@ -12,6 +12,7 @@ env_logger = "0.7.1"
 futures = "0.3.1"
 libp2p = "0.18.0"
 libp2p-kad = "0.18.0"
+log = "0.4.1"
 prometheus = "0.7"
 void = "1.0.2"
 tide = "0.6"

Dockerfile

@@ -1,10 +1,10 @@
 # Build container
 
-FROM rust as build
+FROM rustlang/rust:nightly as build
 
 COPY ./ ./
 
-RUN cargo build --release
+RUN cargo +nightly build --release
 
 RUN mkdir -p /build-out
 

src/exporter/client.rs

@@ -24,6 +24,8 @@ use std::{
     usize,
 };
 
+mod global_only;
+
 const RANDOM_WALK_INTERVAL: Duration = Duration::from_secs(10);
 
 pub struct Client {
@@ -173,7 +175,11 @@ impl NetworkBehaviourEventProcess<KademliaEvent> for MyBehaviour {
 
 fn build_transport(keypair: Keypair) -> Boxed<(PeerId, StreamMuxerBox), impl Error> {
     let tcp = tcp::TcpConfig::new().nodelay(true);
-    let transport = dns::DnsConfig::new(tcp).unwrap();
+    // Ignore any non global IP addresses. Given the amount of private IP
+    // addresses in most Dhts dialing private IP addresses can easily be (and
+    // has been) interpreted as a port-scan by ones hosting provider.
+    let global_only_tcp = global_only::GlobalIpOnly::new(tcp);
+    let transport = dns::DnsConfig::new(global_only_tcp).unwrap();
 
     let noise_keypair = noise::Keypair::new().into_authentic(&keypair).unwrap();
     let noise_config = noise::NoiseConfig::ix(noise_keypair);

src/exporter/client/global_only.rs

@@ -0,0 +1,56 @@
+use libp2p::core::{
+    multiaddr::{Multiaddr, Protocol},
+    transport::TransportError,
+    Transport,
+};
+use log::warn;
+
+// Wrapper around a libp2p `Transport` dropping all dial requests to non-global
+// IP addresses.
+#[derive(Debug, Clone, Default)]
+pub struct GlobalIpOnly<T> {
+    inner: T,
+}
+
+impl<T> GlobalIpOnly<T> {
+    pub fn new(transport: T) -> Self {
+        GlobalIpOnly { inner: transport }
+    }
+}
+
+impl<T: Transport> Transport for GlobalIpOnly<T> {
+    type Output = <T as Transport>::Output;
+    type Error = <T as Transport>::Error;
+    type Listener = <T as Transport>::Listener;
+    type ListenerUpgrade = <T as Transport>::ListenerUpgrade;
+    type Dial = <T as Transport>::Dial;
+
+    fn listen_on(self, addr: Multiaddr) -> Result<Self::Listener, TransportError<Self::Error>> {
+        self.inner.listen_on(addr)
+    }
+
+    fn dial(self, addr: Multiaddr) -> Result<Self::Dial, TransportError<Self::Error>> {
+        match addr.iter().next() {
+            Some(Protocol::Ip4(a)) => {
+                if a.is_global() {
+                    return self.inner.dial(addr);
+                } else {
+                    warn!("Not dialing non global IP address {:?}.", a);
+                    return Err(TransportError::MultiaddrNotSupported(addr));
+                }
+            }
+            Some(Protocol::Ip6(a)) => {
+                if a.is_global() {
+                    return self.inner.dial(addr);
+                } else {
+                    warn!("Not dialing non global IP address {:?}.", a);
+                    return Err(TransportError::MultiaddrNotSupported(addr));
+                }
+            }
+            _ => {
+                warn!("Not dialing unsupported Multiaddress {:?}.", addr);
+                return Err(TransportError::MultiaddrNotSupported(addr));
+            }
+        }
+    }
+}

src/main.rs

@@ -1,3 +1,5 @@
+#![feature(ip)]
+
 use async_std::task;
 use libp2p::core::Multiaddr;
 use prometheus::{Encoder, Registry, TextEncoder};