-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sync observed addresses with port mapping configs #411
Conversation
Many NAT devices have asymmetric port mappings, we need to explicitly configure in-bound mappings even if out-bound connections have been established. this patch - add observed port mappings not configured - removes port mappings not observed
I'm pretty sure this isn't the right fix, observed addresses and explicit port mappings are pretty orthogonal features. Really, the observed address feature is a fallback for when port mappings don't work correctly. Basically, even when a router doesn't support explicit port mapping, it may predictably map internal ports to external ports and may (sometimes) allow new inbound connections through this mapping. Really, this almost never works but it's better than nothing. Instead of adding/removing mappings, we should probably just stop advertising "observed" addresses when we notice that port mapping is working. Additionally, we can't rely on a lack of connections to determine that the address is unreachable. For example, we support multiple transports but some of these may be rarely used. If we just say "port x isn't being used, stop advertising it", we may stop advertising a useful port. However, there are a few things we can do to improve this situation:
Sound reasonable or am I missing something? |
My patch could be a shortest path, but not necessarily a graceful path, as currently I don't know the intentions behind many features. Your logic is smooth, if I understand correctly, we need
There're some details I'd like to make sure, though.
|
|
@vyzo It seems |
It stands for "NAT auto detection". |
I don't think that's necessary (but I may be wrong). It would be sufficient to modify
Exactly this. My point is that this doesn't even require allowing users to explicitly choose their port mappings. On the other hand, we may want to support that anyways.
No. As you noted (#411 (comment)), it's just like our current observed address feature. However, the goal is to make it significantly more reliable by explicitly testing which observed addresses work and which ones don't.
As @vyzo says, we'd like to but that's a ways out. Really, the first step for better NAT traversal is getting relays working automatically. See: ipfs/kubo#4213
I'd start with the go-nat change we've talked about (trying to use our internal port first, before falling back on random ports). FYI, I've now forked it to https://github.com/libp2p/go-nat. That is, fix #415. Once that's fixed, I'd go after #416. That won't directly fix anything but will be a step in the right direction. @vyzo thoughts? NAT stuff is really your territory. And thanks for jumping in on this, @cannium. Reliable NAT traversal is one of the key features that's limiting the usefulness of libp2p. |
My instinct was to separate mechanism(port mapping) and policy(external port assignment) to maintain a relatively stable dependency package. But as the requirements hold, future changes might be very rare, so I'm fine with it. I'll make a pull request to #415 soon. |
I think we should integrate autonat asap, it's key to getting relay advertisement to work effectively. One difficulty integrating is that the current autonat implementation depends on libp2p itself as it needs to construct a host to do the dialbacks, but perhaps we should build it in libp2p instead. In terms of approach for fixing our port mapping, adding some smarts to go-nat so that it tries to map the same port and then fallbacks to random ports is a good idea. |
For hole punching, what I would like to see long-term is a UDP-based transport that integrates signalling through a third party to punch holes. |
I just ran into a weird issue that appears to be related to this. Running 'ipfs id' looks like every containerd subnet gateway that was already running on the local machine appears to be listening on 4001. |
Unless I'm forgetting something, this PR has been superseded. @MikePadge, please file a new issue with more details so we can figure out what's going on. |
The situation is found and described in ipfs/kubo#5411. The 4001 port on external IP address is mapped automatically when IPFS node try to
connect
to another node, so is observed by peers. But in-bound connections cannot use this port to connect. Turns out many NAT devices have asymmetric port mappings, we need to explicitly configure in-bound mappings even if out-bound connections have been established.This patch
depends on libp2p/go-libp2p-nat#8