ipfs swarm filters seems blacklist-only

[nonchip]

there should really be a whitelist (maybe followed by a blacklist, or some sort of rule priority system), because it's virtually impossible to do any local area swarms using the current implementation.

[jbenet]

@nonchip yeah, the original design called for filters to be applied in the typical ordering kind of way.

ALLOW <filter>
DENY <filter>
ALLOW <filter>
ALLOW <filter>
DENY <filter>

@whyrusleeping people do want this. let's move to this?

[nonchip]

@jbenet like iptables does it? sounds good. and relatively easy to implement. just add the allow/deny bool in the list of filters, and return that bool as soon as a filter matches. I'm pretty bad in golang, but pseudocode would be:

struct filter={IpNet mask, bool policy}
list filters=[struct filter]
foreach filters as filter
  if filter.mask matches address
    return filter.policy
return true // fallback for no (or no matching) filters

so e.g. a pure whitelist would be:

ALLOW ip
ALLOW ip
...
DENY ::
DENY 0.0.0.0

(denying everything at the end and causing the return true fallback to be never reached)

[jbenet]

Yep that's right.

What would make it easier for people to contribute to things like this?
Have noticed a larger than usual ratio of issues to PRs on go-ipfs. Is the
code base too daunting?
On Tue, Nov 17, 2015 at 23:39 Kyra Zimmer [email protected] wrote:

@jbenet https://github.com/jbenet like iptables does it? sounds good.
and relatively easy to implement. just add the allow/deny bool in the list
of filters, and return that bool as soon as a filter matches. I'm pretty
bad in golang, but pseudocode would be:

foreach filters as filter
if filter.mask matches address
return filter.policy
return true // fallback for no (or no matching) filters

so e.g. a pure whitelist would be:

ALLOW ip
ALLOW ip
...
DENY ::
DENY 0.0.0.0

(denying everything at the end and causing the return true fallback to be
never reached)

—
Reply to this email directly or view it on GitHub
#1972 (comment).

[slothbag]

In my desperation to cut down on bandwidth usage (see #2489) I have started blacklisting (swarm filters) ipfs nodes which seem to send/recv more than the average with my node.

A whitelist would probably be better, that way I can block everyone except for a handful of trusted nodes.

[flyingzumwalt]

Please implement this. It's really important for gateways to be able to whitelist content.

Examples:

• I want to mirror wikipedia, but I'm not interested in being a general ipfs gateway for everyone's content
• I'm a university library that wants to be an ipfs gateway for any ipfs content that's in our collection but we explicitly don't want to serve anything else

In both cases, a blacklist doesn't cut it. You want to whitelist a small amount of hashes and decline all other requests.

Will libp2p/go-maddr-filter#1 cover this for us?

[Kubuxu]

@flyingzumwalt this is not content filter but connection filter.

[makew0rld]

Any movement on this? It would be very useful.

[Stebalien]

Not yet. This would require some support in libp2p that we don't currently have. See: libp2p/go-libp2p-net#25 (comment).