“rpcallowip=” configuration directive doesn’t accept RFC4193 addresses #32433

issue amg1127 openend this issue on May 7, 2025
  1. amg1127 commented at 7:16 am on May 7, 2025: none

    Is there an existing issue for this?

    • I have searched the existing issues

    Current behaviour

    I have a local dual-stack network using RFC1918 addresses on IPv4 stack and RFC4193 addresses on IPv6 stack. I would like to restrict the access to RPC ports of Bitcoin Core nodes running in the network based on the source address of the connections. However, Bitcoin Core 29.0 doesn’t accept rpcallowip= directives that specify addresses under the [fc00::/7] IP block.

    Expected behaviour

    Bitcoin Core should accept addresses under the [fc00::/7] IP block defined via rpcallowip= directives, and perform access control according to the list of network blocks specified via configuration or command line.

    Steps to reproduce

    Run the command line specified below on a CentOS Stream 9 machine connected to the internet.

    0$ curl --no-progress-meter -L 'https://bitcoincore.org/bin/bitcoin-core-29.0/bitcoin-29.0-x86_64-linux-gnu.tar.gz' | tar zx && mkdir -p data && ./bitcoin-29.0/bin/bitcoind '-rpcbind=[::]:8332' '-rpcallowip=fc00:db8:c0:ff:ee::/80'

    Relevant log output

     0[admin@centos9-stream-a ~]$ curl --no-progress-meter -L 'https://bitcoincore.org/bin/bitcoin-core-29.0/bitcoin-29.0-x86_64-linux-gnu.tar.gz' | tar zx && mkdir -p data && ./bitcoin-29.0/bin/bitcoind '-rpcbind=[::]:8332' '-rpcallowip=fc00:db8:c0:ff:ee::/80'
 12025-05-07T07:10:45Z Bitcoin Core version v29.0.0 (release build)
 22025-05-07T07:10:45Z Using the 'sse4(1way),sse41(4way),avx2(8way)' SHA256 implementation
 32025-05-07T07:10:45Z Using RdSeed as an additional entropy source
 42025-05-07T07:10:45Z Using RdRand as an additional entropy source
 52025-05-07T07:10:45Z Default data directory /home/admin/.bitcoin
 62025-05-07T07:10:45Z Using data directory /home/admin/.bitcoin
 72025-05-07T07:10:45Z Config file: /home/admin/.bitcoin/bitcoin.conf (not found, skipping)
 82025-05-07T07:10:45Z Command-line arg: rpcallowip="fc00:db8:c0:ff:ee::/80"
 92025-05-07T07:10:45Z Command-line arg: rpcbind="[::]:8332"
102025-05-07T07:10:45Z Using at most 125 automatic connections (1024 file descriptors available)
112025-05-07T07:10:45Z scheduler thread start
122025-05-07T07:10:45Z [error] Invalid -rpcallowip subnet specification: fc00:db8:c0:ff:ee::/80. Valid are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24).
13Error: Invalid -rpcallowip subnet specification: fc00:db8:c0:ff:ee::/80. Valid are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24).
142025-05-07T07:10:45Z [error] Unable to start HTTP server. See debug log for details.
15Error: Unable to start HTTP server. See debug log for details.
162025-05-07T07:10:45Z Shutdown: In progress...
172025-05-07T07:10:45Z scheduler thread exit
182025-05-07T07:10:45Z Shutdown: done

    RFC3849 addresses are accepted:

     0[admin@centos9-stream-a ~]$ curl --no-progress-meter -L 'https://bitcoincore.org/bin/bitcoin-core-29.0/bitcoin-29.0-x86_64-linux-gnu.tar.gz' | tar zx && mkdir -p data && ./bitcoin-29.0/bin/bitcoind '-rpcbind=[::]:8332' '-rpcallowip=2001:db8:c0:ff:ee::/80'
 12025-05-07T07:11:56Z Bitcoin Core version v29.0.0 (release build)
 22025-05-07T07:11:56Z Using the 'sse4(1way),sse41(4way),avx2(8way)' SHA256 implementation
 32025-05-07T07:11:56Z Using RdSeed as an additional entropy source
 42025-05-07T07:11:56Z Using RdRand as an additional entropy source
 52025-05-07T07:11:56Z Default data directory /home/admin/.bitcoin
 62025-05-07T07:11:56Z Using data directory /home/admin/.bitcoin
 72025-05-07T07:11:56Z Config file: /home/admin/.bitcoin/bitcoin.conf (not found, skipping)
 82025-05-07T07:11:56Z Command-line arg: rpcallowip="2001:db8:c0:ff:ee::/80"
 92025-05-07T07:11:56Z Command-line arg: rpcbind="[::]:8332"
102025-05-07T07:11:56Z Using at most 125 automatic connections (1024 file descriptors available)
112025-05-07T07:11:56Z scheduler thread start
122025-05-07T07:11:56Z Binding RPC on address :: port 8332
132025-05-07T07:11:56Z WARNING: the RPC server is not safe to expose to untrusted networks such as the public internet
142025-05-07T07:11:56Z Generated RPC authentication cookie /home/admin/.bitcoin/.cookie
152025-05-07T07:11:56Z Permissions used for cookie: rw-------
162025-05-07T07:11:56Z Using random cookie authentication.
172025-05-07T07:11:56Z Starting HTTP server with 16 worker threads
182025-05-07T07:11:56Z Using wallet directory /home/admin/.bitcoin/wallets
192025-05-07T07:11:56Z init message: Verifying wallet(s)…
202025-05-07T07:11:56Z Using /16 prefix for IP bucketing
212025-05-07T07:11:56Z init message: Loading P2P addresses…
222025-05-07T07:11:56Z Creating peers.dat because the file was not found ("/home/admin/.bitcoin/peers.dat")
232025-05-07T07:11:56Z init message: Loading banlist…
242025-05-07T07:11:56Z Recreating the banlist database
252025-05-07T07:11:56Z SetNetworkActive: true
262025-05-07T07:11:56Z /home/admin/.bitcoin/fee_estimates.dat is not found. Continue anyway.
27
28^C

    How did you obtain Bitcoin Core

    Pre-built binaries

    What version of Bitcoin Core are you using?

    Bitcoin Core daemon version v29.0.0

    Operating system and version

    CentOS Stream release 9

    Machine specifications

    QEMU/KVM virtual machine

  2. laanwj added the label P2P on May 7, 2025
  3. pinheadmz commented at 5:40 pm on May 15, 2025: member

    The problem here is that the fc ipv6 prefix identifies the address as CJDNS and then the subnet becomes invalid:

    https://github.com/bitcoin/bitcoin/blob/725c9f7780e0def3d79be151c08a36fe7a9dc59c/src/netaddress.cpp#L924-L930

    I’m not sure if allowing addr.IsCJDNS() here would break anything else.

  4. pinheadmz removed the label P2P on May 15, 2025
  5. pinheadmz added the label RPC/REST/ZMQ on May 15, 2025
  6. pinheadmz added the label Settings on May 15, 2025
  7. amg1127 commented at 8:17 pm on May 15, 2025: none

    Thank you for evaluating my bug report.

    I had never heard of CJDNS before. On the day I was creating this bug report, I initially thought that the root cause of the issue was an issue with the IPv6 address parser, and got surprised when I found that bitcoind accepted a RFC3849 address.

    In my opinion, both the error message and the parameter documentation presented by bitcoind --help command line should state that CJDNS addresses ([fc00::/8] block) are not acceptable by the rfcallowip= directive. Although I couldn’t understand the reason why a node administrator willing to connect their bitcoin node to CJDNS network should be prevented from adding CJDNS addresses into that directive, I believe that a well defined reason was identified when support for CJDNS was added to Bitcoin Core. As I overlooked the full list of supported configuration directives, I was unaware of CJDNS support, initially.

    02025-05-07T07:10:45Z [error] Invalid -rpcallowip subnet specification: fc00:db8:c0:ff:ee::/80. Valid are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24).
1Error: Invalid -rpcallowip subnet specification: fc00:db8:c0:ff:ee::/80. Valid are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24).
22025-05-07T07:10:45Z [error] Unable to start HTTP server. See debug log for details.
3Error: Unable to start HTTP server. See debug log for details.

    0[tempuser@centos9-stream-a ~]$ ./bitcoin-29.0/bin/bitcoind --help 2>&1 | grep -A 6 -- -rpcallowip=
1  -rpcallowip=<ip>
2       Allow JSON-RPC connections from specified source. Valid values for <ip>
3       are a single IP (e.g. 1.2.3.4), a network/netmask (e.g.
4       1.2.3.4/255.255.255.0), a network/CIDR (e.g. 1.2.3.4/24), all
5       ipv4 (0.0.0.0/0), or all ipv6 (::/0). This option can be
6       specified multiple times

    Addresses under the [fd00::/8] block are acceptable by rpcallowip= and, in fact, as per RFC4193 section 3.2, I should have set the L bit to 1 and generated a random address under the [fd00::/8] block for my use. I will reconfigure my LAN to use IPv6 address with L bit set to 1 for now.

     0[tempuser@centos9-stream-a ~]$ ./bitcoin-29.0/bin/bitcoind '-rpcbind=[::]:8332' '-rpcallowip=fd00:db8:c0:ff:ee::/80' 
 12025-05-15T20:15:00Z Bitcoin Core version v29.0.0 (release build)
 22025-05-15T20:15:00Z Using the 'sse4(1way),sse41(4way),avx2(8way)' SHA256 implementation
 32025-05-15T20:15:00Z Using RdSeed as an additional entropy source
 42025-05-15T20:15:00Z Using RdRand as an additional entropy source
 52025-05-15T20:15:00Z Default data directory /home/tempuser/.bitcoin
 62025-05-15T20:15:00Z Using data directory /home/tempuser/.bitcoin
 72025-05-15T20:15:00Z Config file: /home/tempuser/.bitcoin/bitcoin.conf (not found, skipping)
 82025-05-15T20:15:00Z Command-line arg: rpcallowip="fd00:db8:c0:ff:ee::/80"
 92025-05-15T20:15:00Z Command-line arg: rpcbind="[::]:8332"
102025-05-15T20:15:00Z Using at most 125 automatic connections (1024 file descriptors available)
112025-05-15T20:15:00Z scheduler thread start
122025-05-15T20:15:00Z Binding RPC on address :: port 8332
132025-05-15T20:15:00Z WARNING: the RPC server is not safe to expose to untrusted networks such as the public internet
142025-05-15T20:15:00Z Generated RPC authentication cookie /home/tempuser/.bitcoin/.cookie
152025-05-15T20:15:00Z Permissions used for cookie: rw-------
162025-05-15T20:15:00Z Using random cookie authentication.
172025-05-15T20:15:00Z Starting HTTP server with 16 worker threads
182025-05-15T20:15:00Z Using wallet directory /home/tempuser/.bitcoin/wallets
192025-05-15T20:15:00Z init message: Verifying wallet(s)…
202025-05-15T20:15:00Z Using /16 prefix for IP bucketing
212025-05-15T20:15:00Z init message: Loading P2P addresses…
222025-05-15T20:15:00Z Loaded 222 addresses from peers.dat  1ms
232025-05-15T20:15:00Z init message: Loading banlist…
242025-05-15T20:15:00Z SetNetworkActive: true
  8. pinheadmz commented at 5:14 pm on May 16, 2025: member
    Looking at this a bit closer, I see that this shouldn’t be an issue unless you also have -cjdnsreachable set. It is currently an issue because we process rpcallowip before we even check for cjdsnreachable… I’m going to write a patch and open a PR shortly.
  9. pinheadmz commented at 8:00 pm on May 16, 2025: member
    https://github.com/bitcoin/bitcoin/pull/32539


amg1127 pinheadmz

Labels
RPC/REST/ZMQ Settings

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-05-25 21:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me