network: drop duplicated peer connections by server nonce

AnnaShaleva · AnnaShaleva · commit c588f5fa5db2 · 2025-05-22T14:53:24.000+03:00
On dockerized private network with non-default ext/int ports mapping there's no way to distinguish connections by underlying connecion address prior to handshake. Even after handshake, if the peer doesn't declare announced address/port the same way as it is declared in the node's local peer record, there's still no other way than server nonce to distinguish duplicating connections. For example, on privnet with configuration from #3915, node will maintain two connection to every seed: ``` // Start the node, wait for some connections to be established. ... // Try to connect to seed nodes, in particular, with the seed 172.17.0.1:20334: 2025-05-22T10:44:55.779Z INFO choosing peer from seeds {"addr": "172.17.0.1:20334", "requested": 1} ... 2025-05-22T10:44:55.779Z INFO dealing address {"addr": "172.17.0.1:20334"} ... // New peer is connected (incoming connection), it's the seed node // 172.17.0.1:20334 in fact, start protocol with this node: 2025-05-22T10:44:55.908Z INFO new peer connected {"peer addr": "172.200.0.254:42654", "fake conn addr": "172.200.0.254:42654", "conn addr": "172.200.0.254:42654", "peerCount": 1} 2025-05-22T10:44:55.909Z INFO started protocol {"addr": "172.200.0.254:42654", "userAgent": "/NEO-GO:0.109.2-pre-16-g953c3580/", "startHeight": 0, "id": 2422991527} ... // Outgoing seed connection succeeds, there's no way to distinguish this // connection from incoming one based on any available address: 2025-05-22T10:44:55.994Z INFO updating seed address {"seed": "172.17.0.1:20334", "old": "", "new": "172.17.0.1:20334"} 2025-05-22T10:44:55.994Z INFO register connected {"addr": "172.17.0.1:20334"} 2025-05-22T10:44:55.994Z INFO new peer connected {"peer addr": "172.17.0.1:20334", "fake conn addr": "172.17.0.1:20334", "conn addr": "172.17.0.1:20334", "peerCount": 2} ... // Start protocol with the same seed based on outgoing connection: 2025-05-22T10:44:55.996Z INFO started protocol {"addr": "172.17.0.1:20334", "userAgent": "/NEO-GO:0.109.2-pre-16-g953c3580/", "startHeight": 0, "id": 2422991527} ``` That's it, addresses can't tell us anything in this case. So we either live with duplicating connections or filter out connections by server ID. The latter is not the best option sice an invironment is untrusted and peer may intentionally fake its ID, but we don't have more reliable information. Close #3915. Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
diff --git a/pkg/network/server.go b/pkg/network/server.go
@@ -851,15 +851,14 @@ func (s *Server) handleVersionCmd(p Peer, version *payload.Version) error {
 	if s.Net != version.Magic {
 		return errInvalidNetwork
 	}
-	peerAddr := p.PeerAddr().String()
 	s.lock.RLock()
 	for peer := range s.peers {
 		if p == peer {
 			continue
 		}
 		ver := peer.Version()
 		// Already connected, drop this connection.
-		if ver != nil && ver.Nonce == version.Nonce && peer.PeerAddr().String() == peerAddr {
+		if ver != nil && ver.Nonce == version.Nonce {
 			s.lock.RUnlock()
 			return errAlreadyConnected
 		}

Original file line number	Diff line number	Diff line change
`@@ -851,15 +851,14 @@ func (s Server) handleVersionCmd(p Peer, version payload.Version) error {`
`851`	`851`	`if s.Net != version.Magic {`
`852`	`852`	`return errInvalidNetwork`
`853`	`853`	`}`
`854`		`- peerAddr := p.PeerAddr().String()`
`855`	`854`	`s.lock.RLock()`
`856`	`855`	`for peer := range s.peers {`
`857`	`856`	`if p == peer {`
`858`	`857`	`continue`
`859`	`858`	`}`
`860`	`859`	`ver := peer.Version()`
`861`	`860`	`// Already connected, drop this connection.`
`862`		`- if ver != nil && ver.Nonce == version.Nonce && peer.PeerAddr().String() == peerAddr {`
	`861`	`+ if ver != nil && ver.Nonce == version.Nonce {`
`863`	`862`	`s.lock.RUnlock()`
`864`	`863`	`return errAlreadyConnected`
`865`	`864`	`}`