From b1922d26f61e3d9a5fc2ca7049af8ba59cddf8be Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 2 Nov 2022 14:06:07 +0100 Subject: [PATCH] Allow IPFS connections on private network (HAProxy is now also using the private network.) This fixes IPFS connections to Kosmos nodes from outside the network, as well as in between nodes on the private network. --- .../kosmos-ipfs/attributes/default.rb | 40 ++++++++++++++++--- site-cookbooks/kosmos-ipfs/recipes/default.rb | 16 ++++++++ 2 files changed, 51 insertions(+), 5 deletions(-) diff --git a/site-cookbooks/kosmos-ipfs/attributes/default.rb b/site-cookbooks/kosmos-ipfs/attributes/default.rb index 466342c..ee892d9 100644 --- a/site-cookbooks/kosmos-ipfs/attributes/default.rb +++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb @@ -5,10 +5,6 @@ node.default['kosmos-ipfs']['api']['port'] = 5001 node.default['kosmos-ipfs']['ipfs']['config'] = { # The default gateway is already used by kosmos' hubot (8080) "Addresses.Gateway" => "/ip4/127.0.0.1/tcp/9090", - # Do not keep track of bandwidth metrics. Disabling bandwidth metrics can - # lead to a slight performance improvement, as well as a reduction in memory - # usage. - 'Swarm.DisableBandwidthMetrics' => true, # API with Web UI "Addresses.API" => "/ip4/0.0.0.0/tcp/5001", # Enable bandwith metrics @@ -19,7 +15,41 @@ node.default['kosmos-ipfs']['ipfs']['config'] = { # operation 'Swarm.ConnMgr.HighWater' => 40, # Minimum number of connections to maintain - 'Swarm.ConnMgr.LowWater' => 20 + 'Swarm.ConnMgr.LowWater' => 20, + # Do not dial out to these IP ranges + # We go a bit nuts on the 10.0 range definitions to allow dialouts on our own + # private network + 'Swarm.AddrFilters' => [ + '/ip4/10.128.0.0/ipcidr/9', + '/ip4/10.64.0.0/ipcidr/10', + '/ip4/10.32.0.0/ipcidr/11', + '/ip4/10.16.0.0/ipcidr/12', + '/ip4/10.8.0.0/ipcidr/13', + '/ip4/10.4.0.0/ipcidr/14', + '/ip4/10.2.0.0/ipcidr/15', + '/ip4/10.0.0.0/ipcidr/16', + '/ip4/10.1.128.0/ipcidr/17', + '/ip4/10.1.64.0/ipcidr/18', + '/ip4/10.1.32.0/ipcidr/19', + '/ip4/10.1.16.0/ipcidr/20', + '/ip4/10.1.8.0/ipcidr/21', + '/ip4/10.1.4.0/ipcidr/22', + '/ip4/10.1.2.0/ipcidr/23', + '/ip4/10.1.0.0/ipcidr/24', + '/ip4/100.64.0.0/ipcidr/10', + '/ip4/169.254.0.0/ipcidr/16', + '/ip4/172.16.0.0/ipcidr/12', + '/ip4/192.0.0.0/ipcidr/24', + '/ip4/192.0.0.0/ipcidr/29', + '/ip4/192.0.0.8/ipcidr/32', + '/ip4/192.0.0.170/ipcidr/32', + '/ip4/192.0.0.171/ipcidr/32', + '/ip4/192.0.2.0/ipcidr/24', + '/ip4/192.168.0.0/ipcidr/16', + '/ip4/198.18.0.0/ipcidr/15', + '/ip4/198.51.100.0/ipcidr/24', + '/ip4/203.0.113.0/ipcidr/24', + '/ip4/240.0.0.0/ipcidr/4'], } node.default['kosmos-ipfs']['nginx']['api_port'] = 5001 diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb index c4f867a..3adb0ae 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/default.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb @@ -24,3 +24,19 @@ firewall_rule 'ipfs_api' do command :allow logging :connections end + +firewall_rule 'ipfs_local_p2p_allow_out' do + destination "10.1.1.0/24" + direction :out + protocol :none + command :allow + logging :connections +end + +firewall_rule 'ipfs_local_p2p_deny_out' do + destination "10.0.0.0/8" + direction :out + protocol :none + command :deny + logging :connections +end