eth, cmd: add RollupNetrestrictTxPoolGossipFlag and RollupTxPoolTrustedPeersOnlyFlag (#706)

* eth, cmd: add RollupNetrestrictTxPoolGossipFlag

* fork.yaml: description of fork changes for tx gossip netrestrict

* eth: h.syncTransactions behind check for netrestrict for txpool gossip

* eth, eth/protocols: propagate netrestrict to Peer and limit incoming/outgoing message.

* eth, cmd: add RollupNetrestrictTxPoolGossipFlag PoC using `NilPool` (#713)

* Make peer struct not aware of ip net restrict

* Propagate Peer ip info to txpool

* fix

* cleanup

* eth/handler_test: unit test for TxGossipNetRestrict and TxPool() method

* eth: add short-circuit for incoming messages

* eth: rely on AcceptTxs

* eth: all tx propagating by default

* consistent OP Stack additions comment

* eth, cmd: restrict mempool only to trusted peers (#719)

* address comments

* eth/handler_test: modify unit test to check for trusted conn too

* add txGossipAllowed

* correct comments

* update fork.yaml

---------

Co-authored-by: Changwan Park <[email protected]>

Author: nonsense

cmd/geth/main.go

@@ -159,8 +159,10 @@ var (
 		utils.RollupHistoricalRPCTimeoutFlag,
 		utils.RollupInteropRPCFlag,
 		utils.RollupInteropMempoolFilteringFlag,
-		utils.RollupDisableTxPoolGossipFlag,
-		utils.RollupEnableTxPoolAdmissionFlag,
+		utils.RollupTxPoolDisableGossipFlag,
+		utils.RollupTxPoolNetrestrictFlag,
+		utils.RollupTxPoolTrustedPeersOnlyFlag,
+		utils.RollupTxPoolEnableAdmissionFlag,
 		utils.RollupComputePendingBlock,
 		utils.RollupHaltOnIncompatibleProtocolVersionFlag,
 		utils.RollupSuperchainUpgradesFlag,

cmd/utils/flags.go

@@ -984,15 +984,28 @@ var (
 		Category: flags.RollupCategory,
 	}
 
-	RollupDisableTxPoolGossipFlag = &cli.BoolFlag{
-		Name:     "rollup.disabletxpoolgossip",
+	RollupTxPoolDisableGossipFlag = &cli.BoolFlag{
+		Name:     "rollup.txpool.disable-gossip",
 		Usage:    "Disable transaction pool gossip.",
 		Category: flags.RollupCategory,
+		Aliases:  []string{"rollup.disabletxpoolgossip"},
 	}
-	RollupEnableTxPoolAdmissionFlag = &cli.BoolFlag{
-		Name:     "rollup.enabletxpooladmission",
+	RollupTxPoolNetrestrictFlag = &cli.StringFlag{
+		Name:     "rollup.txpool.netrestrict",
+		Usage:    "Restricts transaction pool gossip to the given IP networks (CIDR masks)",
+		Category: flags.RollupCategory,
+	}
+	RollupTxPoolTrustedPeersOnlyFlag = &cli.BoolFlag{
+		Name:     "rollup.txpool.trusted-peers-only",
+		Usage:    "Restricts transaction pool gossip and acceptance to trusted peers only",
+		Category: flags.RollupCategory,
+		Value:    false,
+	}
+	RollupTxPoolEnableAdmissionFlag = &cli.BoolFlag{
+		Name:     "rollup.txpool.enable-admission",
 		Usage:    "Add RPC-submitted transactions to the txpool (on by default if --rollup.sequencerhttp is not set).",
 		Category: flags.RollupCategory,
+		Aliases:  []string{"rollup.enabletxpooladmission"},
 	}
 	RollupComputePendingBlock = &cli.BoolFlag{
 		Name:     "rollup.computependingblock",
@@ -1923,8 +1936,10 @@ func SetEthConfig(ctx *cli.Context, stack *node.Node, cfg *ethconfig.Config) {
 	if ctx.IsSet(RollupInteropMempoolFilteringFlag.Name) {
 		cfg.InteropMempoolFiltering = ctx.Bool(RollupInteropMempoolFilteringFlag.Name)
 	}
-	cfg.RollupDisableTxPoolGossip = ctx.Bool(RollupDisableTxPoolGossipFlag.Name)
-	cfg.RollupDisableTxPoolAdmission = cfg.RollupSequencerHTTP != "" && !ctx.Bool(RollupEnableTxPoolAdmissionFlag.Name)
+	cfg.RollupDisableTxPoolGossip = ctx.Bool(RollupTxPoolDisableGossipFlag.Name)
+	cfg.RollupTxPoolNetrestrict = ctx.String(RollupTxPoolNetrestrictFlag.Name)
+	cfg.RollupTxPoolTrustedPeersOnly = ctx.Bool(RollupTxPoolTrustedPeersOnlyFlag.Name)
+	cfg.RollupDisableTxPoolAdmission = cfg.RollupSequencerHTTP != "" && !ctx.Bool(RollupTxPoolEnableAdmissionFlag.Name)
 	cfg.RollupHaltOnIncompatibleProtocolVersion = ctx.String(RollupHaltOnIncompatibleProtocolVersionFlag.Name)
 	cfg.ApplySuperchainUpgrades = ctx.Bool(RollupSuperchainUpgradesFlag.Name)
 	cfg.RollupSequencerTxConditionalEnabled = ctx.Bool(RollupSequencerTxConditionalEnabledFlag.Name)

core/txpool/subpool.go

@@ -83,7 +83,8 @@ type PendingFilter struct {
 	OnlyPlainTxs bool // Return only plain EVM transactions (peer-join announces, block space filling)
 	OnlyBlobTxs  bool // Return only blob transactions (block blob-space filling)
 
-	// OP stack addition: Maximum l1 data size allowed for an included transaction (for throttling
+	// OP Stack additions
+	// Maximum l1 data size allowed for an included transaction (for throttling
 	// when batcher is backlogged). Ignored if nil.
 	MaxDATxSize *big.Int
 }

eth/backend.go

@@ -64,6 +64,7 @@ import (
 	"github.com/ethereum/go-ethereum/p2p"
 	"github.com/ethereum/go-ethereum/p2p/dnsdisc"
 	"github.com/ethereum/go-ethereum/p2p/enode"
+	"github.com/ethereum/go-ethereum/p2p/netutil"
 	"github.com/ethereum/go-ethereum/params"
 	"github.com/ethereum/go-ethereum/rlp"
 	"github.com/ethereum/go-ethereum/rpc"
@@ -379,6 +380,11 @@ func New(stack *node.Node, config *ethconfig.Config) (*Ethereum, error) {
 		stack.RegisterLifecycle(pj)
 	}
 
+	txGossipNetRestrict, err := parseTxGossipNetRestrict(config.RollupTxPoolNetrestrict)
+	if err != nil {
+		return nil, err
+	}
+
 	// Permit the downloader to use the trie cache allowance during fast sync
 	cacheLimit := options.TrieCleanLimit + options.TrieDirtyLimit + options.SnapshotLimit
 	if eth.handler, err = newHandler(&handlerConfig{
@@ -391,7 +397,11 @@ func New(stack *node.Node, config *ethconfig.Config) (*Ethereum, error) {
 		BloomCache:     uint64(cacheLimit),
 		EventMux:       eth.eventMux,
 		RequiredBlocks: config.RequiredBlocks,
-		NoTxGossip:     config.RollupDisableTxPoolGossip,
+
+		// OP Stack additions
+		NoTxGossip:               config.RollupDisableTxPoolGossip,
+		TxGossipNetRestrict:      txGossipNetRestrict,
+		TxGossipTrustedPeersOnly: config.RollupTxPoolTrustedPeersOnly,
 	}); err != nil {
 		return nil, err
 	}
@@ -750,3 +760,15 @@ func (s *Ethereum) HandleRequiredProtocolVersion(required params.ProtocolVersion
 	}
 	return nil
 }
+
+// parseTxGossipNetRestrict parses the netrestrict string for txpool gossip
+func parseTxGossipNetRestrict(netrestrict string) (*netutil.Netlist, error) {
+	if netrestrict == "" {
+		return nil, nil
+	}
+	list, err := netutil.ParseNetlist(netrestrict)
+	if err != nil {
+		return nil, fmt.Errorf("invalid txpool gossip netrestrict list: %w", err)
+	}
+	return list, nil
+}

eth/ethconfig/config.go

@@ -190,6 +190,8 @@ type Config struct {
 	RollupHistoricalRPC                       string
 	RollupHistoricalRPCTimeout                time.Duration
 	RollupDisableTxPoolGossip                 bool
+	RollupTxPoolNetrestrict                   string `toml:",omitempty"` // Netrestrict for transaction gossip
+	RollupTxPoolTrustedPeersOnly              bool   // Restrict tx pool gossip to trusted peers only
 	RollupDisableTxPoolAdmission              bool
 	RollupHaltOnIncompatibleProtocolVersion   string
 

eth/ethconfig/gen_config.go

@@ -44,6 +44,7 @@ import (
 	"github.com/ethereum/go-ethereum/metrics"
 	"github.com/ethereum/go-ethereum/p2p"
 	"github.com/ethereum/go-ethereum/p2p/enode"
+	"github.com/ethereum/go-ethereum/p2p/netutil"
 )
 
 const (
@@ -106,7 +107,11 @@ type handlerConfig struct {
 	BloomCache     uint64                 // Megabytes to alloc for snap sync bloom
 	EventMux       *event.TypeMux         // Legacy event mux, deprecate for `feed`
 	RequiredBlocks map[uint64]common.Hash // Hard coded map of required block hashes for sync challenges
-	NoTxGossip     bool                   // Disable P2P transaction gossip
+
+	// OP Stack additions
+	NoTxGossip               bool             // Disable P2P transaction gossip
+	TxGossipNetRestrict      *netutil.Netlist // Restrict tx gossip to specific IP networks
+	TxGossipTrustedPeersOnly bool             // Restrict tx gossip to trusted peers only
 }
 
 type handler struct {
@@ -121,7 +126,9 @@ type handler struct {
 	chain    *core.BlockChain
 	maxPeers int
 
-	noTxGossip bool
+	noTxGossip               bool
+	txGossipNetRestrict      *netutil.Netlist
+	txGossipTrustedPeersOnly bool
 
 	downloader     *downloader.Downloader
 	txFetcher      *fetcher.TxFetcher
@@ -156,14 +163,18 @@ func newHandler(config *handlerConfig) (*handler, error) {
 		eventMux:       config.EventMux,
 		database:       config.Database,
 		txpool:         config.TxPool,
-		noTxGossip:     config.NoTxGossip,
 		chain:          config.Chain,
 		peers:          newPeerSet(),
 		txBroadcastKey: newBroadcastChoiceKey(),
 		requiredBlocks: config.RequiredBlocks,
 		quitSync:       make(chan struct{}),
 		handlerDoneCh:  make(chan struct{}),
 		handlerStartCh: make(chan struct{}),
+
+		// OP Stack additions
+		noTxGossip:               config.NoTxGossip,
+		txGossipNetRestrict:      config.TxGossipNetRestrict,
+		txGossipTrustedPeersOnly: config.TxGossipTrustedPeersOnly,
 	}
 	if config.Sync == ethconfig.FullSync {
 		// The database seems empty as the current block is the genesis. Yet the snap

eth/handler.go

@@ -25,6 +25,7 @@ import (
 	"github.com/ethereum/go-ethereum/core/txpool"
 	"github.com/ethereum/go-ethereum/core/types"
 	"github.com/ethereum/go-ethereum/eth/protocols/eth"
+	"github.com/ethereum/go-ethereum/p2p"
 	"github.com/ethereum/go-ethereum/p2p/enode"
 )
 
@@ -42,8 +43,14 @@ func (n NilPool) Get(common.Hash) *types.Transaction              { return nil }
 func (n NilPool) GetRLP(common.Hash) []byte                       { return nil }
 func (n NilPool) GetMetadata(hash common.Hash) *txpool.TxMetadata { return nil }
 
-func (h *ethHandler) TxPool() eth.TxPool {
-	if h.noTxGossip {
+func (h *ethHandler) txGossipAllowed(peer *p2p.Peer) bool {
+	return !(h.noTxGossip ||
+		(h.txGossipTrustedPeersOnly && !peer.Trusted()) ||
+		(h.txGossipNetRestrict != nil && !h.txGossipNetRestrict.ContainsAddr(peer.Node().IPAddr())))
+}
+
+func (h *ethHandler) TxPool(peer *p2p.Peer) eth.TxPool {
+	if !h.txGossipAllowed(peer) {
 		return &NilPool{}
 	}
 	return h.txpool
@@ -64,8 +71,9 @@ func (h *ethHandler) PeerInfo(id enode.ID) interface{} {
 
 // AcceptTxs retrieves whether transaction processing is enabled on the node
 // or if inbound transactions should simply be dropped.
-func (h *ethHandler) AcceptTxs() bool {
-	if h.noTxGossip {
+func (h *ethHandler) AcceptTxs(peer *eth.Peer) bool {
+	// Check if peer is allowed for transaction gossip
+	if !h.txGossipAllowed(peer.Peer) {
 		return false
 	}
 	return h.synced.Load()

eth/handler_eth.go

@@ -44,8 +44,8 @@ type testEthHandler struct {
 }
 
 func (h *testEthHandler) Chain() *core.BlockChain              { panic("no backing chain") }
-func (h *testEthHandler) TxPool() eth.TxPool                   { panic("no backing tx pool") }
-func (h *testEthHandler) AcceptTxs() bool                      { return true }
+func (h *testEthHandler) TxPool(*p2p.Peer) eth.TxPool          { panic("no backing tx pool") }
+func (h *testEthHandler) AcceptTxs(*eth.Peer) bool             { return true }
 func (h *testEthHandler) RunPeer(*eth.Peer, eth.Handler) error { panic("not used in tests") }
 func (h *testEthHandler) PeerInfo(enode.ID) interface{}        { panic("not used in tests") }
 

eth/handler_eth_test.go

@@ -17,9 +17,11 @@
 package eth
 
 import (
+	"fmt"
 	"maps"
 	"math/big"
 	"math/rand"
+	"net/netip"
 	"sort"
 	"sync"
 	"testing"
@@ -37,6 +39,8 @@ import (
 	"github.com/ethereum/go-ethereum/event"
 	"github.com/ethereum/go-ethereum/p2p"
 	"github.com/ethereum/go-ethereum/p2p/enode"
+	"github.com/ethereum/go-ethereum/p2p/enr"
+	"github.com/ethereum/go-ethereum/p2p/netutil"
 	"github.com/ethereum/go-ethereum/params"
 	"github.com/ethereum/go-ethereum/rlp"
 	"github.com/holiman/uint256"
@@ -317,3 +321,100 @@ func closePeers(peers []*ethPeer) {
 		p.Close()
 	}
 }
+
+// TestHandlerTxPool tests that the handler correctly assigns TxPool vs NilPool
+// based on the txGossipNetRestrict configuration.
+func TestHandlerTxPool(t *testing.T) {
+	t.Parallel()
+
+	// 8 nodes with different IPs and trusted flags
+	nodes := []struct {
+		ip      string
+		trusted bool
+	}{
+		{ip: "127.0.0.1", trusted: true},    // Allowed (127.0.0.0/8)
+		{ip: "127.0.0.2", trusted: true},    // Allowed (127.0.0.0/8)
+		{ip: "127.0.0.3", trusted: true},    // Allowed (127.0.0.0/8)
+		{ip: "127.0.0.4", trusted: false},   // Restricted due to trusted flag (127.0.0.0/8)
+		{ip: "192.168.1.1", trusted: false}, // Restricted
+		{ip: "192.168.1.2", trusted: false}, // Restricted
+		{ip: "10.0.0.1", trusted: true},     // Restricted due to network subset
+		{ip: "10.0.0.2", trusted: true},     // Restricted due to network subset
+	}
+
+	db := rawdb.NewMemoryDatabase()
+	gspec := &core.Genesis{
+		Config: params.TestChainConfig,
+		Alloc:  types.GenesisAlloc{testAddr: {Balance: big.NewInt(1000000)}},
+	}
+	chain, _ := core.NewBlockChain(db, gspec, ethash.NewFaker(), nil)
+	txpool := newTestTxPool()
+
+	// Set up netrestrict to allow only 127.0.0.0/8 range
+	netrestrict := new(netutil.Netlist)
+	netrestrict.Add("127.0.0.0/8")
+
+	handler, err := newHandler(&handlerConfig{
+		Database:                 db,
+		Chain:                    chain,
+		TxPool:                   txpool,
+		TxGossipNetRestrict:      netrestrict,
+		TxGossipTrustedPeersOnly: true,
+	})
+	if err != nil {
+		t.Fatalf("Failed to create handler: %v", err)
+	}
+	handler.Start(1000)
+	defer handler.Stop()
+
+	// Test each node's IP
+	ethHandler := (*ethHandler)(handler)
+
+	// Expected: first 3 nodes should get real TxPool, last 5 should get NilPool
+	expectedTxPoolCount := 0
+	expectedNilPoolCount := 0
+
+	for i, node := range nodes {
+		ip, err := netip.ParseAddr(node.ip)
+		if err != nil {
+			t.Fatalf("Failed to parse IP %s: %v", node.ip, err)
+		}
+
+		var r enr.Record
+		r.Set(enr.IPv4Addr(ip))
+		enode := enode.SignNull(&r, enode.ID{})
+		p := p2p.NewPeerFromNode(enode, fmt.Sprintf("test-peer-%d", i), nil)
+		p.TestSetTrusted(node.trusted)
+
+		txPool := ethHandler.TxPool(p)
+		allowed := ethHandler.txGossipAllowed(p)
+
+		// Check if we got a real TxPool or NilPool
+		if _, ok := txPool.(*testTxPool); ok {
+			expectedTxPoolCount++
+			if i >= 3 {
+				t.Errorf("Node %d (%s) should have gotten NilPool but got real TxPool", i, node.ip)
+			}
+			if !allowed {
+				t.Errorf("Node %d (%s) should have gotten allowed for gossiping but got not allowed", i, node.ip)
+			}
+		} else if _, ok := txPool.(*NilPool); ok {
+			expectedNilPoolCount++
+			if i < 3 {
+				t.Errorf("Node %d (%s) should have gotten real TxPool but got NilPool", i, node.ip)
+			}
+			if allowed {
+				t.Errorf("Node %d (%s) should have gotten not allowed for gossiping but got allowed", i, node.ip)
+			}
+		} else {
+			t.Errorf("Node %d (%s) got unexpected TxPool type: %T", i, node.ip, txPool)
+		}
+	}
+
+	if expectedTxPoolCount != 3 {
+		t.Errorf("Expected 3 nodes with real TxPool, got %d", expectedTxPoolCount)
+	}
+	if expectedNilPoolCount != 5 {
+		t.Errorf("Expected 5 nodes with NilPool, got %d", expectedNilPoolCount)
+	}
+}