adds net-restrict to cli options

docs/public-networks/how-to/connect/manage-peers.md

@@ -12,10 +12,12 @@ tags:
 Hyperledger Besu peer-to-peer (P2P) discovery happens periodically based on the number of peers in a
 network and the node's [peer limit](#limit-peers).
 
-The frequency of discovery isn't configurable, but you can
-[limit remote connections](#limit-remote-connections) in public networks and
-[randomly prioritize connections](../../reference/cli/options.md#random-peer-priority-enabled) in
-small, stable networks.
+The frequency of discovery isn't configurable, but you can:
+- [Limit remote connections](#limit-remote-connections) in public networks
+- [Allowlist peers by IP subnet](#allowlist-peers) to create a private network of peers across public 
+networks
+- [Randomly prioritize connections](../../reference/cli/options.md#random-peer-priority-enabled) in
+small, stable networks
 
 :::info
 You can use [`admin_addPeer`](../../reference/cli/options.md#admin_addpeer) to attempt a specific
@@ -70,6 +72,10 @@ You can limit peers to reduce the bandwidth, CPU time, and disk access Besu uses
 
 To reduce the maximum number of peers, use the [`--max-peers`](../../reference/cli/options.md#max-peers) option. The default is 25.
 
+## Allowlist peers
+
+You can can define specific IP subnets permitted to interact with the node using the [`--net-restrict`](../../reference/cli/options.md#net-restrict) configuration. This restricts access to only those peers whose IP addresses fall within the allowed subnets. This is particularly useful if you maintain a set of nodes and want to restrict which of those may connect to external nodes.
+
 ## Limit remote connections
 
 Prevent eclipse attacks when using [`--sync-mode`](../../reference/cli/options.md#sync-mode) and [`--fast-sync-min-peers`](../../reference/cli/options.md##sync-min-peers-fast-sync-min-peers) on public networks by enabling the [remote connection limits](../../reference/cli/options.md#remote-connections-limit-enabled).

docs/public-networks/reference/cli/options.md

@@ -2596,6 +2596,46 @@ You must specify `DOCKER` when using the [Besu Docker image](../../get-started/i
 
 :::
 
+### `net-restrict`
+
+<Tabs>
+
+<TabItem value="Syntax" label="Syntax" default>
+
+```bash
+--net-restrict=<subnet>[,<subnet>,...]
+```
+
+</TabItem>
+
+<TabItem value="Example" label="Example">
+
+```bash
+--net-restrict=192.168.1.0/24,10.0.0.0/8
+```
+
+</TabItem>
+
+<TabItem value="Environment variable" label="Environment variable">
+
+```bash
+BESU_NET_RESTRICT=192.168.1.0/24,10.0.0.0/8
+```
+
+</TabItem>
+
+<TabItem value="Example configuration file" label="Example configuration file"> 
+
+```bash
+net-restrict=["192.168.1.0/24","10.0.0.0/8"]
+```
+
+</TabItem>
+
+</Tabs>
+
+Comma-separated array of allowed IP subnets. Enables node operators to nominate peers by their IP subnets. Default is null: no subnet-based peer permission restrictions will be applied.
+
 ### `network`
 
 <Tabs>