Close #742: Allow limitting of peer discovery to specific interfaces

Signed-off-by: Lee Smet <lee.smet@hotmail.com>

Author: LeeSmet

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- You can now limit peer discovery to specific interfaces by specifying the `--peer-discovery-interface <interface_name>`.
+  The flag can be specified multiple times to allow multiple interfaces.
+
 ### Changed
 
 - No longer block the router when a subnet is being queried until the query resolves

mycelium/src/lib.rs

@@ -17,7 +17,7 @@ use message::{
     MessageId, MessageInfo, MessagePushResponse, MessageStack, PushMessageError, ReceivedMessage,
 };
 use metrics::Metrics;
-use peer_manager::{PeerExists, PeerNotFound, PeerStats, PrivateNetworkKey};
+use peer_manager::{PeerDiscoveryMode, PeerExists, PeerNotFound, PeerStats, PrivateNetworkKey};
 use routing_table::{NoRouteSubnet, QueriedSubnet, RouteEntry};
 use subnet::Subnet;
 use tokio::net::TcpListener;
@@ -70,7 +70,9 @@ pub struct Config<M> {
     /// Listen port for Quic connections.
     pub quic_listen_port: Option<u16>,
     /// Udp port for peer discovery.
-    pub peer_discovery_port: Option<u16>,
+    pub peer_discovery_port: u16,
+    /// Mode for peer discovery (All, Disabled, or Filtered).
+    pub peer_discovery_mode: PeerDiscoveryMode,
     /// Name for the TUN device.
     #[cfg(any(
         target_os = "linux",
@@ -200,8 +202,8 @@ where
             config.peers,
             config.tcp_listen_port,
             config.quic_listen_port,
-            config.peer_discovery_port.unwrap_or_default(),
-            config.peer_discovery_port.is_none(),
+            config.peer_discovery_port,
+            config.peer_discovery_mode,
             config.private_network_config,
             config.metrics,
             config.firewall_mark,

mycelium/src/peer_manager.rs

@@ -76,6 +76,19 @@ pub enum PeerType {
     Inbound,
 }
 
+/// Defines how peer discovery operates regarding network interfaces.
+#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub enum PeerDiscoveryMode {
+    /// Discover peers on all qualifying interfaces (default behavior).
+    #[default]
+    All,
+    /// Peer discovery is completely disabled.
+    Disabled,
+    /// Only discover peers on interfaces whose names match the provided list.
+    Filtered(Vec<String>),
+}
+
 /// Local info about a peer.
 struct PeerInfo {
     /// Details how we found out about this peer.
@@ -186,7 +199,7 @@ where
         tcp_listen_port: u16,
         quic_listen_port: Option<u16>,
         peer_discovery_port: u16,
-        disable_peer_discovery: bool,
+        peer_discovery_mode: PeerDiscoveryMode,
         private_network_config: Option<(String, PrivateNetworkKey)>,
         metrics: M,
         firewall_mark: Option<u32>,
@@ -266,16 +279,30 @@ where
         let handle = tokio::spawn(peer_manager.inner.clone().connect_to_peers());
         peer_manager.abort_handles.push(handle.abort_handle());
 
-        // Discover local peers, this does not actually connect to them. That is handle by the
+        // Discover local peers, this does not actually connect to them. That is handled by the
         // connect_to_peers task.
-        if !disable_peer_discovery {
-            let handle = tokio::spawn(
-                peer_manager
-                    .inner
-                    .clone()
-                    .local_discovery(peer_discovery_port),
-            );
-            peer_manager.abort_handles.push(handle.abort_handle());
+        match peer_discovery_mode {
+            PeerDiscoveryMode::Disabled => {
+                // No discovery task spawned
+            }
+            PeerDiscoveryMode::All => {
+                let handle = tokio::spawn(
+                    peer_manager
+                        .inner
+                        .clone()
+                        .local_discovery(peer_discovery_port, None),
+                );
+                peer_manager.abort_handles.push(handle.abort_handle());
+            }
+            PeerDiscoveryMode::Filtered(interfaces) => {
+                let handle = tokio::spawn(
+                    peer_manager
+                        .inner
+                        .clone()
+                        .local_discovery(peer_discovery_port, Some(interfaces)),
+                );
+                peer_manager.abort_handles.push(handle.abort_handle());
+            }
         }
 
         Ok(peer_manager)
@@ -1046,7 +1073,12 @@ where
     }
 
     /// Use multicast discovery to find local peers.
-    async fn local_discovery(self: Arc<Self>, peer_discovery_port: u16) {
+    /// When `allowed_interfaces` is provided, only join multicast groups on those interfaces.
+    async fn local_discovery(
+        self: Arc<Self>,
+        peer_discovery_port: u16,
+        allowed_interfaces: Option<Vec<String>>,
+    ) {
         let rid = self.router.lock().unwrap().router_id();
 
         let multicast_destination = LL_PEER_DISCOVERY_GROUP
@@ -1077,7 +1109,7 @@ where
         let mut joined_interfaces = HashSet::new();
         // Join the multicast discovery group on newly detected interfaces.
         let join_new_interfaces = |joined_interfaces: &mut HashSet<_>| {
-            let ipv6_nics = list_ipv6_interface_ids()?;
+            let ipv6_nics = list_ipv6_interface_ids(allowed_interfaces.as_deref())?;
             // Keep the existing interfaces, removing interface ids we previously joined but are no
             // longer found when listing ids. We simply discard unknown ids, and assume if the
             // interface is gone (or it's IPv6), that we also implicitly left the group (i.e. no
@@ -1356,7 +1388,10 @@ impl rustls::client::danger::ServerCertVerifier for SkipServerVerification {
 }
 
 /// Get a list of the interface identifiers of every network interface with a local IPv6 IP.
-fn list_ipv6_interface_ids() -> Result<HashSet<u32>, Box<dyn std::error::Error>> {
+/// When `allowed_interfaces` is provided, only interfaces with matching names are returned.
+fn list_ipv6_interface_ids(
+    allowed_interfaces: Option<&[String]>,
+) -> Result<HashSet<u32>, Box<dyn std::error::Error>> {
     let mut nics = HashSet::new();
     for nic in netdev::get_interfaces()
         .into_iter()
@@ -1368,6 +1403,12 @@ fn list_ipv6_interface_ids() -> Result<HashSet<u32>, Box<dyn std::error::Error>>
                 && nic.is_multicast()
                 && nic.is_up()
         })
+        // Apply name filter if provided
+        .filter(|nic| {
+            allowed_interfaces
+                .map(|names| names.iter().any(|name| name == &nic.name))
+                .unwrap_or(true)
+        })
     {
         for addr in nic.ipv6 {
             if addr.addr().segments()[..4] == [0xfe80, 0, 0, 0] {

myceliumd-private/src/main.rs

@@ -21,6 +21,7 @@ use tracing::{debug, error, info, warn};
 
 use crypto::PublicKey;
 use mycelium::endpoint::Endpoint;
+use mycelium::peer_manager::PeerDiscoveryMode;
 use mycelium::{crypto, Node};
 use tracing_subscriber::layer::SubscriberExt;
 use tracing_subscriber::util::SubscriberInitExt;
@@ -308,6 +309,15 @@ pub struct NodeArguments {
     #[arg(long = "disable-peer-discovery", default_value_t = false)]
     disable_peer_discovery: bool,
 
+    /// Limit peer discovery to specific network interfaces.
+    ///
+    /// When specified, peer discovery will only operate on the named interfaces.
+    /// Can be specified multiple times. If not specified, discovery runs on all
+    /// qualifying interfaces (unless --disable-peer-discovery is set).
+    /// This flag is ignored if --disable-peer-discovery is set.
+    #[arg(long = "peer-discovery-interface")]
+    peer_discovery_interfaces: Vec<String>,
+
     /// Address of the HTTP API server.
     #[arg(long = "api-addr", default_value_t = DEFAULT_HTTP_API_SERVER_ADDRESS)]
     api_addr: SocketAddr,
@@ -406,6 +416,7 @@ pub struct MergedNodeConfig {
     quic_listen_port: u16,
     peer_discovery_port: u16,
     disable_peer_discovery: bool,
+    peer_discovery_interfaces: Vec<String>,
     api_addr: SocketAddr,
     jsonrpc_addr: SocketAddr,
     no_tun: bool,
@@ -431,6 +442,7 @@ struct MyceliumConfig {
     tun_name: Option<String>,
     disable_peer_discovery: Option<bool>,
     peer_discovery_port: Option<u16>,
+    peer_discovery_interfaces: Option<Vec<String>>,
     api_addr: Option<SocketAddr>,
     jsonrpc_addr: Option<SocketAddr>,
     metrics_api_address: Option<SocketAddr>,
@@ -586,6 +598,18 @@ async fn main() -> Result<(), Box<dyn Error>> {
                 info!(path = ?merged_config.topic_config, "Loaded topic cofig");
             }
 
+            // Compute peer discovery mode from flags
+            let peer_discovery_mode = if merged_config.disable_peer_discovery {
+                if !merged_config.peer_discovery_interfaces.is_empty() {
+                    warn!("--disable-peer-discovery is set, ignoring --peer-discovery-interface values");
+                }
+                PeerDiscoveryMode::Disabled
+            } else if !merged_config.peer_discovery_interfaces.is_empty() {
+                PeerDiscoveryMode::Filtered(merged_config.peer_discovery_interfaces.clone())
+            } else {
+                PeerDiscoveryMode::All
+            };
+
             let private_network_config =
                 match (merged_config.network_name, merged_config.network_key_file) {
                     (Some(network_name), Some(network_key_file)) => {
@@ -618,11 +642,8 @@ async fn main() -> Result<(), Box<dyn Error>> {
                     } else {
                         Some(merged_config.quic_listen_port)
                     },
-                    peer_discovery_port: if merged_config.disable_peer_discovery {
-                        None
-                    } else {
-                        Some(merged_config.peer_discovery_port)
-                    },
+                    peer_discovery_port: merged_config.peer_discovery_port,
+                    peer_discovery_mode: peer_discovery_mode.clone(),
                     tun_name: merged_config.tun_name,
                     private_network_config,
                     metrics: metrics.clone(),
@@ -653,11 +674,8 @@ async fn main() -> Result<(), Box<dyn Error>> {
                     } else {
                         Some(merged_config.quic_listen_port)
                     },
-                    peer_discovery_port: if merged_config.disable_peer_discovery {
-                        None
-                    } else {
-                        Some(merged_config.peer_discovery_port)
-                    },
+                    peer_discovery_port: merged_config.peer_discovery_port,
+                    peer_discovery_mode,
                     tun_name: merged_config.tun_name,
                     private_network_config,
                     metrics: mycelium_metrics::NoMetrics,
@@ -914,6 +932,11 @@ fn merge_config(cli_args: NodeArguments, file_config: MyceliumConfig) -> MergedN
         },
         disable_peer_discovery: cli_args.disable_peer_discovery
             || file_config.disable_peer_discovery.unwrap_or(false),
+        peer_discovery_interfaces: if !cli_args.peer_discovery_interfaces.is_empty() {
+            cli_args.peer_discovery_interfaces
+        } else {
+            file_config.peer_discovery_interfaces.unwrap_or_default()
+        },
         api_addr: if cli_args.api_addr != DEFAULT_HTTP_API_SERVER_ADDRESS {
             cli_args.api_addr
         } else {

myceliumd/src/main.rs

@@ -21,6 +21,7 @@ use tracing::{debug, error, info, warn};
 
 use crypto::PublicKey;
 use mycelium::endpoint::Endpoint;
+use mycelium::peer_manager::PeerDiscoveryMode;
 use mycelium::{crypto, Node};
 use tracing_subscriber::layer::SubscriberExt;
 use tracing_subscriber::util::SubscriberInitExt;
@@ -308,6 +309,15 @@ pub struct NodeArguments {
     #[arg(long = "disable-peer-discovery", default_value_t = false)]
     disable_peer_discovery: bool,
 
+    /// Limit peer discovery to specific network interfaces.
+    ///
+    /// When specified, peer discovery will only operate on the named interfaces.
+    /// Can be specified multiple times. If not specified, discovery runs on all
+    /// qualifying interfaces (unless --disable-peer-discovery is set).
+    /// This flag is ignored if --disable-peer-discovery is set.
+    #[arg(long = "peer-discovery-interface")]
+    peer_discovery_interfaces: Vec<String>,
+
     /// Address of the HTTP API server.
     #[arg(long = "api-addr", default_value_t = DEFAULT_HTTP_API_SERVER_ADDRESS)]
     api_addr: SocketAddr,
@@ -389,6 +399,7 @@ pub struct MergedNodeConfig {
     quic_listen_port: u16,
     peer_discovery_port: u16,
     disable_peer_discovery: bool,
+    peer_discovery_interfaces: Vec<String>,
     api_addr: SocketAddr,
     jsonrpc_addr: SocketAddr,
     no_tun: bool,
@@ -412,6 +423,7 @@ struct MyceliumConfig {
     tun_name: Option<String>,
     disable_peer_discovery: Option<bool>,
     peer_discovery_port: Option<u16>,
+    peer_discovery_interfaces: Option<Vec<String>>,
     api_addr: Option<SocketAddr>,
     jsonrpc_addr: Option<SocketAddr>,
     metrics_api_address: Option<SocketAddr>,
@@ -565,6 +577,18 @@ async fn main() -> Result<(), Box<dyn Error>> {
                 info!(path = ?merged_config.topic_config, "Loaded topic cofig");
             }
 
+            // Compute peer discovery mode from flags
+            let peer_discovery_mode = if merged_config.disable_peer_discovery {
+                if !merged_config.peer_discovery_interfaces.is_empty() {
+                    warn!("--disable-peer-discovery is set, ignoring --peer-discovery-interface values");
+                }
+                PeerDiscoveryMode::Disabled
+            } else if !merged_config.peer_discovery_interfaces.is_empty() {
+                PeerDiscoveryMode::Filtered(merged_config.peer_discovery_interfaces.clone())
+            } else {
+                PeerDiscoveryMode::All
+            };
+
             let node_keys = get_node_keys(&key_path).await?;
             let node_secret_key = if let Some((node_secret_key, _)) = node_keys {
                 node_secret_key
@@ -587,11 +611,8 @@ async fn main() -> Result<(), Box<dyn Error>> {
                     } else {
                         Some(merged_config.quic_listen_port)
                     },
-                    peer_discovery_port: if merged_config.disable_peer_discovery {
-                        None
-                    } else {
-                        Some(merged_config.peer_discovery_port)
-                    },
+                    peer_discovery_port: merged_config.peer_discovery_port,
+                    peer_discovery_mode: peer_discovery_mode.clone(),
                     tun_name: merged_config.tun_name,
                     private_network_config: None,
                     metrics: metrics.clone(),
@@ -621,11 +642,8 @@ async fn main() -> Result<(), Box<dyn Error>> {
                     } else {
                         Some(merged_config.quic_listen_port)
                     },
-                    peer_discovery_port: if merged_config.disable_peer_discovery {
-                        None
-                    } else {
-                        Some(merged_config.peer_discovery_port)
-                    },
+                    peer_discovery_port: merged_config.peer_discovery_port,
+                    peer_discovery_mode,
                     tun_name: merged_config.tun_name,
                     private_network_config: None,
                     metrics: mycelium_metrics::NoMetrics,
@@ -881,6 +899,11 @@ fn merge_config(cli_args: NodeArguments, file_config: MyceliumConfig) -> MergedN
         },
         disable_peer_discovery: cli_args.disable_peer_discovery
             || file_config.disable_peer_discovery.unwrap_or(false),
+        peer_discovery_interfaces: if !cli_args.peer_discovery_interfaces.is_empty() {
+            cli_args.peer_discovery_interfaces
+        } else {
+            file_config.peer_discovery_interfaces.unwrap_or_default()
+        },
         api_addr: if cli_args.api_addr != DEFAULT_HTTP_API_SERVER_ADDRESS {
             cli_args.api_addr
         } else {