package tezos-p2p

  1. Overview
  2. Docs

This module implements four Access Control Lists:

  • IP greylist is a set of banned IP addresses automatically added by the P2P layer.
  • peer_id greylist is a set of banned peers ids automatically added by the P2P layer.
  • IP blacklist is a set of IP addresses manually added by the node admin.
  • peers blacklist is a set of peers ids manually added by the node admin.

IP greylists use a time based GC to periodically remove entries from the table, while peer_id greylists are built using an LRU cache, where the least-recently grey-listed peer is evicted from the table when adding a new banned peer to a full cache. Other tables are user defined and static.

type t
val create : peer_id_size:int -> ip_size:int -> ip_cleanup_delay:Tezos_base.Time.System.Span.t -> t

create ~peer_id_size ~ip_size is a set of four ACLs (see above) with the peer_id greylist being a LRU cache of size peer_id_size and the IP address greylist a bloom filter of size ip_size (expressed in KiB). Elements are (probabilistically) kept in the bloom filter for ip_cleanup_delay, the cleanup happens in a discrete way in sixteen steps.

val banned_addr : t -> Tezos_base.P2p_addr.t -> bool

banned_addr t addr is true if addr is blacklisted or greylisted.

val unban_addr : t -> Tezos_base.P2p_addr.t -> unit

unban_addr t addr remove the address from both the blacklist of banned addresses and the greylist of addresses

val banned_peer : t -> Tezos_base.P2p_peer.Id.t -> bool

banned_peer t peer_id is true if peer with id peer_id is blacklisted or greylisted.

val unban_peer : t -> Tezos_base.P2p_peer.Id.t -> unit

unban_peer t peer remove the peer from both the blacklist of banned peers and the greylist of peers

val clear : t -> unit

clear t clears all four ACLs.

module IPGreylist : sig ... end
module IPBlacklist : sig ... end
module PeerBlacklist : sig ... end
module PeerGreylist : sig ... end

/

A Mutable structure akin to a set, but with a size bound. Note that, different caches have different policies towards the size bounds: some uphold the bound strictly, some treat the bound as a suggestion. In addition, some caches count their elements somewhat sloppily.

module IpTable : sig ... end
OCaml

Innovation. Community. Security.