Allow allowlisted peers to bypass gater blocks

tac0turtle · tac0turtle · commit 7e1b3041c26f · 2026-02-03T15:03:32.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Decrease MaxBytesSize to `5MB` to increase compatibility with public nodes. ([#3030](https://github.com/evstack/ev-node/pull/3030))
 - Proper counting of `DASubmitterPendingBlobs` metrics. [#3038](https://github.com/evstack/ev-node/pull/3038)
 - Replace `go-header` store by `ev-node` store. This avoid duplication of all blocks in `go-header` and `ev-node` store. Thanks to the cached store from #3030, this should improve p2p performance as well.
+- Allow explicitly configured peers to bypass libp2p gater blocks caused by go-header peer scoring.
 
 ## v1.0.0-rc.1
 
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -275,7 +275,7 @@ type P2PConfig struct {
 	ListenAddress string `mapstructure:"listen_address" yaml:"listen_address" comment:"Address to listen for incoming connections (host:port)"`
 	Peers         string `mapstructure:"peers" yaml:"peers" comment:"Comma-separated list of peers to connect to"`
 	BlockedPeers  string `mapstructure:"blocked_peers" yaml:"blocked_peers" comment:"Comma-separated list of peer IDs to block from connecting"`
-	AllowedPeers  string `mapstructure:"allowed_peers" yaml:"allowed_peers" comment:"Comma-separated list of peer IDs to allow connections from"`
+	AllowedPeers  string `mapstructure:"allowed_peers" yaml:"allowed_peers" comment:"Comma-separated list of peer multiaddrs to always allow (overrides peer ID blocks)"`
 }
 
 // SignerConfig contains all signer configuration parameters
diff --git a/pkg/p2p/allowlist_gater.go b/pkg/p2p/allowlist_gater.go
@@ -0,0 +1,53 @@
+package p2p
+
+import (
+	"github.com/libp2p/go-libp2p/core/control"
+	"github.com/libp2p/go-libp2p/core/network"
+	"github.com/libp2p/go-libp2p/core/peer"
+	"github.com/libp2p/go-libp2p/p2p/net/conngater"
+	ma "github.com/multiformats/go-multiaddr"
+)
+
+// allowlistGater wraps a BasicConnectionGater and permits specific peers even if blocked.
+type allowlistGater struct {
+	allowlist map[peer.ID]struct{}
+	base      *conngater.BasicConnectionGater
+}
+
+func newAllowlistGater(base *conngater.BasicConnectionGater, allowlist map[peer.ID]struct{}) *allowlistGater {
+	return &allowlistGater{
+		allowlist: allowlist,
+		base:      base,
+	}
+}
+
+func (g *allowlistGater) isAllowed(id peer.ID) bool {
+	_, ok := g.allowlist[id]
+	return ok
+}
+
+func (g *allowlistGater) InterceptPeerDial(p peer.ID) (allow bool) {
+	if g.isAllowed(p) {
+		return true
+	}
+	return g.base.InterceptPeerDial(p)
+}
+
+func (g *allowlistGater) InterceptAddrDial(p peer.ID, a ma.Multiaddr) (allow bool) {
+	return g.base.InterceptAddrDial(p, a)
+}
+
+func (g *allowlistGater) InterceptAccept(cma network.ConnMultiaddrs) (allow bool) {
+	return g.base.InterceptAccept(cma)
+}
+
+func (g *allowlistGater) InterceptSecured(dir network.Direction, p peer.ID, cma network.ConnMultiaddrs) (allow bool) {
+	if g.isAllowed(p) {
+		return true
+	}
+	return g.base.InterceptSecured(dir, p, cma)
+}
+
+func (g *allowlistGater) InterceptUpgraded(conn network.Conn) (allow bool, reason control.DisconnectReason) {
+	return g.base.InterceptUpgraded(conn)
+}
diff --git a/pkg/p2p/allowlist_gater_test.go b/pkg/p2p/allowlist_gater_test.go
@@ -0,0 +1,32 @@
+package p2p
+
+import (
+	"testing"
+
+	"github.com/ipfs/go-datastore"
+	dssync "github.com/ipfs/go-datastore/sync"
+	"github.com/libp2p/go-libp2p/core/network"
+	"github.com/libp2p/go-libp2p/core/peer"
+	"github.com/libp2p/go-libp2p/p2p/net/conngater"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAllowlistGaterOverridesPeerBlock(t *testing.T) {
+	ds := dssync.MutexWrap(datastore.NewMapDatastore())
+	base, err := conngater.NewBasicConnectionGater(ds)
+	require.NoError(t, err)
+
+	allowedID, err := peer.Decode("12D3KooWBY6qMG2KAcDdgH7ED2Pg4UzhuwnSy8CSZdCKDG911iyP")
+	require.NoError(t, err)
+	blockedID, err := peer.Decode("12D3KooWM1NFkZozoatQi3JvFE57eBaX56mNgBA68Lk5MTPxBE4U")
+	require.NoError(t, err)
+
+	require.NoError(t, base.BlockPeer(allowedID))
+	require.NoError(t, base.BlockPeer(blockedID))
+
+	gater := newAllowlistGater(base, map[peer.ID]struct{}{allowedID: {}})
+	require.True(t, gater.InterceptPeerDial(allowedID))
+	require.False(t, gater.InterceptPeerDial(blockedID))
+	require.True(t, gater.InterceptSecured(network.DirInbound, allowedID, nil))
+	require.False(t, gater.InterceptSecured(network.DirInbound, blockedID, nil))
+}
diff --git a/pkg/p2p/client.go b/pkg/p2p/client.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/ipfs/go-datastore"
 	libp2p "github.com/libp2p/go-libp2p"
+	"github.com/libp2p/go-libp2p/core/connmgr"
 	dht "github.com/libp2p/go-libp2p-kad-dht"
 	pubsub "github.com/libp2p/go-libp2p-pubsub"
 	"github.com/libp2p/go-libp2p/core/crypto"
@@ -53,6 +54,8 @@ type Client struct {
 	dht   *dht.IpfsDHT
 	disc  *discovery.RoutingDiscovery
 	gater *conngater.BasicConnectionGater
+	// hostGater controls libp2p connection gating for the host.
+	hostGater connmgr.ConnectionGater
 	ps    *pubsub.PubSub
 
 	metrics *Metrics
@@ -127,6 +130,7 @@ func (c *Client) Start(ctx context.Context) error {
 		return c.startWithHost(ctx, c.host)
 	}
 
+	c.configureHostGater()
 	h, err := c.listen()
 	if err != nil {
 		return err
@@ -245,7 +249,15 @@ func (c *Client) listen() (host.Host, error) {
 		return nil, err
 	}
 
-	return libp2p.New(libp2p.ListenAddrs(maddr), libp2p.Identity(c.privKey), libp2p.ConnectionGater(c.gater))
+	hostGater := c.hostGater
+	if hostGater == nil {
+		hostGater = c.gater
+	}
+	return libp2p.New(
+		libp2p.ListenAddrs(maddr),
+		libp2p.Identity(c.privKey),
+		libp2p.ConnectionGater(hostGater),
+	)
 }
 
 func (c *Client) setupDHT(ctx context.Context) error {
@@ -384,6 +396,28 @@ func (c *Client) parseAddrInfoList(addrInfoStr string) []peer.AddrInfo {
 	return addrs
 }
 
+func (c *Client) configureHostGater() {
+	allowed := c.allowedPeerIDs()
+	if len(allowed) == 0 {
+		c.hostGater = c.gater
+		return
+	}
+	c.hostGater = newAllowlistGater(c.gater, allowed)
+}
+
+func (c *Client) allowedPeerIDs() map[peer.ID]struct{} {
+	allowedAddrs := c.parseAddrInfoList(c.conf.AllowedPeers)
+	if len(allowedAddrs) == 0 {
+		return nil
+	}
+
+	allowed := make(map[peer.ID]struct{}, len(allowedAddrs))
+	for _, addr := range allowedAddrs {
+		allowed[addr.ID] = struct{}{}
+	}
+	return allowed
+}
+
 // getNamespace returns unique string identifying ORU network.
 //
 // It is used to advertise/find peers in libp2p DHT.

Original file line number	Diff line number	Diff line change
`@@ -275,7 +275,7 @@ type P2PConfig struct {`
`275`	`275`	ListenAddress string `mapstructure:"listen_address" yaml:"listen_address" comment:"Address to listen for incoming connections (host:port)"`
`276`	`276`	Peers string `mapstructure:"peers" yaml:"peers" comment:"Comma-separated list of peers to connect to"`
`277`	`277`	BlockedPeers string `mapstructure:"blocked_peers" yaml:"blocked_peers" comment:"Comma-separated list of peer IDs to block from connecting"`
`278`		- AllowedPeers string `mapstructure:"allowed_peers" yaml:"allowed_peers" comment:"Comma-separated list of peer IDs to allow connections from"`
	`278`	+ AllowedPeers string `mapstructure:"allowed_peers" yaml:"allowed_peers" comment:"Comma-separated list of peer multiaddrs to always allow (overrides peer ID blocks)"`
`279`	`279`	`}`
`280`	`280`
`281`	`281`	`// SignerConfig contains all signer configuration parameters`