`--netrestrict` feature to enable IP filtering for Besu nodes used in key infrastructure

[non-fungible-nelson]

Description

As an infrastructure provider, I want to be able to restrict my node to certain IP networks so that I can prevent and filter unwanted peering. I also want parity with Geth nodes with this option to better take advantage of existing configs and tooling.

Besu should enable restriction to peer-to-peer connectivity on an IP subnet. Doing so will further isolate the network and prevents cross-connecting with other blockchain networks in case the nodes are reachable from the Internet.

Acceptance Criteria

• --netrestrict option exposed taking a string representing IP value
• No external peering or connection to the internet is enabled
• If this option is set to a non-nil value, only hosts which match one of the IP networks contained in the list are considered.

Reference code

Geth Codebase

[FlorianHuc]

Here is an example of how we configure geth:

netrestrict: "10.80.0.0/16"

[pinges]

I've had a quick look at this.
I assume that we want to support a list of comma separated CIDR strings (same as geth).
In geth netrestrict is used for discovery and p2p, I assume we want to do the same.
To implement this we need to create a new CLI option, parse the CIDR string (geth ignores additional commas and whitspace), and need to check whether the IP addresses are in the range.

[FlorianHuc]

Thanks for the analysis. If we can have a feature following geth's specs, I indeed believe it's the best.

[pinges]

For p2p we are using Netty. We can use a String to create an instance of the IpSubnetFilterRule class in Netty, which can be used in a ChannelInitializer, which can be used as a childHandler in the ServerBootstrap.
For discovery we are using vertx DatagramSocket. Not sure how to use vertx to do the filtering for us, but we could do the filtering manually as well.

[non-fungible-nelson]

Is this blocked due to our internal resourcing needs or another reason?