add consensus ip whitelist

app/config/config.go

@@ -137,6 +137,8 @@ type OecConfig struct {
 	maxSubscriptionClients int
 
 	maxTxLimitPerPeer uint64
+
+	consensusIPWhitelist []string
 }
 
 const (
@@ -175,6 +177,7 @@ const (
 	FlagCsTimeoutPrecommit         = "consensus.timeout_precommit"
 	FlagCsTimeoutPrecommitDelta    = "consensus.timeout_precommit_delta"
 	FlagCsTimeoutCommit            = "consensus.timeout_commit"
+	FlagConsensusIPWhitelist       = "consensus.ip_whitelist"
 	FlagEnableHasBlockPartMsg      = "enable-blockpart-ack"
 	FlagDebugGcInterval            = "debug.gc-interval"
 	FlagCommitGapOffset            = "commit-gap-offset"
@@ -331,6 +334,7 @@ func (c *OecConfig) loadFromConfig() {
 	c.SetCommitGapHeight(viper.GetInt64(server.FlagCommitGapHeight))
 	c.SetSentryAddrs(viper.GetString(FlagSentryAddrs))
 	c.SetNodeKeyWhitelist(viper.GetString(FlagNodeKeyWhitelist))
+	c.SetConsensusIPWhitelist(viper.GetString(FlagConsensusIPWhitelist))
 	c.SetEnableWtx(viper.GetBool(FlagEnableWrappedTx))
 	c.SetEnableAnalyzer(viper.GetBool(trace.FlagEnableAnalyzer))
 	c.SetDeliverTxsExecuteMode(viper.GetInt(state.FlagDeliverTxsExecMode))
@@ -511,6 +515,8 @@ func (c *OecConfig) updateFromKVStr(k, v string) {
 		c.SetPendingPoolBlacklist(v)
 	case FlagNodeKeyWhitelist:
 		c.SetNodeKeyWhitelist(v)
+	case FlagConsensusIPWhitelist:
+		c.SetConsensusIPWhitelist(v)
 	case FlagMempoolCheckTxCost:
 		r, err := strconv.ParseBool(v)
 		if err != nil {
@@ -810,6 +816,10 @@ func (c *OecConfig) GetNodeKeyWhitelist() []string {
 	return c.nodeKeyWhitelist
 }
 
+func (c *OecConfig) GetConsensusIPWhitelist() []string {
+	return c.consensusIPWhitelist
+}
+
 func (c *OecConfig) GetMempoolCheckTxCost() bool {
 	return c.mempoolCheckTxCost
 }
@@ -831,6 +841,13 @@ func (c *OecConfig) SetNodeKeyWhitelist(value string) {
 	}
 }
 
+func (c *OecConfig) SetConsensusIPWhitelist(value string) {
+	ipList := resolveNodeKeyWhitelist(value)
+	for _, ip := range ipList {
+		c.consensusIPWhitelist = append(c.consensusIPWhitelist, strings.TrimSpace(ip))
+	}
+}
+
 func (c *OecConfig) GetSentryAddrs() []string {
 	return c.sentryAddrs
 }

libs/tendermint/config/dynamic_config_okchain.go

@@ -41,6 +41,7 @@ type IDynamicConfig interface {
 	GetMaxSubscriptionClients() int
 	GetPendingPoolBlacklist() string
 	GetMaxTxLimitPerPeer() uint64
+	GetConsensusIPWhitelist() []string
 }
 
 var DynamicConfig IDynamicConfig = MockDynamicConfig{}
@@ -233,3 +234,7 @@ func (d MockDynamicConfig) GetPendingPoolBlacklist() string {
 func (c MockDynamicConfig) GetMaxTxLimitPerPeer() uint64 {
 	return DefaultMempoolConfig().MaxTxLimitPerPeer
 }
+
+func (c MockDynamicConfig) GetConsensusIPWhitelist() []string {
+	return []string{}
+}

libs/tendermint/consensus/reactor.go

@@ -3,17 +3,17 @@ package consensus
 import (
 	"bytes"
 	"fmt"
-	"github.com/okex/exchain/libs/tendermint/crypto"
-	"github.com/okex/exchain/libs/tendermint/libs/automation"
+	cfg "github.com/okex/exchain/libs/tendermint/config"
 	"reflect"
 	"sync"
 	"time"
 
 	"github.com/pkg/errors"
-
 	amino "github.com/tendermint/go-amino"
 
 	cstypes "github.com/okex/exchain/libs/tendermint/consensus/types"
+	"github.com/okex/exchain/libs/tendermint/crypto"
+	"github.com/okex/exchain/libs/tendermint/libs/automation"
 	"github.com/okex/exchain/libs/tendermint/libs/bits"
 	tmevents "github.com/okex/exchain/libs/tendermint/libs/events"
 	"github.com/okex/exchain/libs/tendermint/libs/log"
@@ -343,6 +343,17 @@ func (conR *Reactor) Receive(chID byte, src p2p.Peer, msgBytes []byte) {
 		return
 	}
 
+	okIP := false
+	for _, ip := range cfg.DynamicConfig.GetConsensusIPWhitelist() {
+		if src.RemoteIP().String() == ip {
+			okIP = true
+			break
+		}
+	}
+	if !okIP {
+		conR.Logger.Error("consensus msg:IP not in whitelist", "IP", src.RemoteIP().String())
+	}
+
 	msg, err := decodeMsg(msgBytes)
 	if err != nil {
 		conR.Logger.Error("Error decoding message", "src", src, "chId", chID, "msg", msg, "err", err, "bytes", msgBytes)