adds net-restrict to cli options (#1646)

* adds nat-restrict to cli options Signed-off-by: m4sterbunny <harrie.bickle@consensys.net> * Update docs/public-networks/reference/cli/options.md as per Besu's array == 1 required, array accepted Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com> Signed-off-by: m4sterbunny <harrie.bickle@consensys.net> * Update docs/public-networks/reference/cli/options.md if this, then need to do run through pg and verify previous Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com> Signed-off-by: m4sterbunny <harrie.bickle@consensys.net> * updates howto too Signed-off-by: m4sterbunny <harrie.bickle@consensys.net> * Update docs/public-networks/how-to/connect/manage-peers.md proof Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com> Signed-off-by: m4sterbunny <harrie.bickle@consensys.net> * Update docs/public-networks/how-to/connect/manage-peers.md proof Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com> Signed-off-by: m4sterbunny <harrie.bickle@consensys.net> * Update docs/public-networks/reference/cli/options.md proof Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com> Signed-off-by: m4sterbunny <harrie.bickle@consensys.net> --------- Signed-off-by: m4sterbunny <harrie.bickle@consensys.net> Co-authored-by: Joan E <153745173+joaniefromtheblock@users.noreply.github.com> Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com> Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com>
hyperledger · Jul 23, 2024 · 4087322 · 4087322
1 parent f56d84d
commit 4087322
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 3 deletions.
diff --git a/docs/public-networks/how-to/connect/manage-peers.md b/docs/public-networks/how-to/connect/manage-peers.md
@@ -12,9 +12,12 @@ tags:
 Hyperledger Besu peer-to-peer (P2P) discovery happens periodically based on the number of peers in a
 network and the node's [peer limit](#limit-peers).
 
-The frequency of discovery isn't configurable, but you can
-[limit remote connections](#limit-remote-connections) in public networks and
-[randomly prioritize connections](../../reference/cli/options.md#random-peer-priority-enabled) in
+The frequency of discovery isn't configurable, but you can:
+
+- [Limit remote connections](#limit-remote-connections) in public networks.
+- [Allowlist peers by IP subnet](#allowlist-peers) to create a private network of peers across public 
+networks.
+- [Randomly prioritize connections](../../reference/cli/options.md#random-peer-priority-enabled) in
 small, stable networks.
 
 :::info
@@ -70,6 +73,10 @@ You can limit peers to reduce the bandwidth, CPU time, and disk access Besu uses
 
 To reduce the maximum number of peers, use the [`--max-peers`](../../reference/cli/options.md#max-peers) option. The default is 25.
 
+## Allowlist peers
+
+You can can define specific IP subnets permitted to interact with the node using the [`--net-restrict`](../../reference/cli/options.md#net-restrict) configuration. This restricts access to only those peers whose IP addresses fall within the allowed subnets. This is useful if you maintain a set of nodes and want to restrict which of those can connect to external nodes.
+
 ## Limit remote connections
 
 Prevent eclipse attacks when using [`--sync-mode`](../../reference/cli/options.md#sync-mode) and [`--fast-sync-min-peers`](../../reference/cli/options.md##sync-min-peers-fast-sync-min-peers) on public networks by enabling the [remote connection limits](../../reference/cli/options.md#remote-connections-limit-enabled).

diff --git a/docs/public-networks/reference/cli/options.md b/docs/public-networks/reference/cli/options.md
@@ -2596,6 +2596,48 @@ You must specify `DOCKER` when using the [Besu Docker image](../../get-started/i
 
 :::
 
+### `net-restrict`
+
+<Tabs>
+
+<TabItem value="Syntax" label="Syntax" default>
+
+```bash
+--net-restrict=<subnet>[,<subnet>,...]
+```
+
+</TabItem>
+
+<TabItem value="Example" label="Example">
+
+```bash
+--net-restrict=192.168.1.0/24,10.0.0.0/8
+```
+
+</TabItem>
+
+<TabItem value="Environment variable" label="Environment variable">
+
+```bash
+BESU_NET_RESTRICT=192.168.1.0/24,10.0.0.0/8
+```
+
+</TabItem>
+
+<TabItem value="Example configuration file" label="Example configuration file"> 
+
+```bash
+net-restrict=["192.168.1.0/24","10.0.0.0/8"]
+```
+
+</TabItem>
+
+</Tabs>
+
+A comma-separated list of allowed IP subnets.
+Peers whose IP addresses fall within the specified subnets are granted permission to interact with the node.
+If not specified, no subnet-based peer permission restrictions are applied.
+
 ### `network`
 
 <Tabs>