(XXX TEST) Optionally reject HTLC forwards over priv chans with a new config

TheBlueMatt · TheBlueMatt · commit c41c287e10b8 · 2021-06-26T14:24:16.000Z
Private nodes should never wish to forward HTLCs at all, which we support here by disabling forwards out over private channels by default. As private nodes should not have any public channels, this suffices, without allowing users to disable forwarding over channels announced in the routing graph already. Closes lightningdevkit#969
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
@@ -1519,15 +1519,23 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 			// short_channel_id is non-0 in any ::Forward.
 			if let &PendingHTLCRouting::Forward { ref short_channel_id, .. } = routing {
 				let id_option = channel_state.as_ref().unwrap().short_to_id.get(&short_channel_id).cloned();
-				let forwarding_id = match id_option {
-					None => { // unknown_next_peer
-						return_err!("Don't have available channel for forwarding as requested.", 0x4000 | 10, &[0;0]);
-					},
-					Some(id) => id.clone(),
-				};
 				if let Some((err, code, chan_update)) = loop {
+					let forwarding_id = match id_option {
+						None => { // unknown_next_peer
+							break Some(("Don't have available channel for forwarding as requested.", 0x4000 | 10, None));
+						},
+						Some(id) => id.clone(),
+					};
+
 					let chan = channel_state.as_mut().unwrap().by_id.get_mut(&forwarding_id).unwrap();
 
+					if !chan.should_announce() && !self.default_configuration.accept_forwards_to_priv_channels {
+						// Note that the behavior here should be identical to the above block - we
+						// should NOT reveal the existence or non-existence of a private channel if
+						// we don't allow forwards outbound over them.
+						break Some(("Don't have available channel for forwarding as requested.", 0x4000 | 10, None));
+					}
+
 					// Note that we could technically not return an error yet here and just hope
 					// that the connection is reestablished or monitor updated by the time we get
 					// around to doing the actual forward, but better to fail early if we can and
diff --git a/lightning/src/util/config.rs b/lightning/src/util/config.rs
@@ -105,11 +105,14 @@ pub struct ChannelHandshakeLimits {
 	///
 	/// Default value: 144, or roughly one day and only applies to outbound channels.
 	pub max_minimum_depth: u32,
-	/// Set to force the incoming channel to match our announced channel preference in
-	/// ChannelConfig.
+	/// Set to force an incoming channel to match our announced channel preference in
+	/// [`ChannelConfig::announced_channel`].
 	///
-	/// Default value: true, to make the default that no announced channels are possible (which is
-	/// appropriate for any nodes which are not online very reliably).
+	/// For a node which is not online reliably, this should be set to true and
+	/// [`ChannelConfig::announced_channel`] set to false, ensuring that no announced (aka public)
+	/// channels will ever be opened.
+	///
+	/// Default value: true.
 	pub force_announced_channel_preference: bool,
 	/// Set to the amount of time we're willing to wait to claim money back to us.
 	///
@@ -179,7 +182,7 @@ pub struct ChannelConfig {
 	/// This should only be set to true for nodes which expect to be online reliably.
 	///
 	/// As the node which funds a channel picks this value this will only apply for new outbound
-	/// channels unless ChannelHandshakeLimits::force_announced_channel_preferences is set.
+	/// channels unless [`ChannelHandshakeLimits::force_announced_channel_preference`] is set.
 	///
 	/// This cannot be changed after the initial channel handshake.
 	///
@@ -233,6 +236,23 @@ pub struct UserConfig {
 	pub peer_channel_config_limits: ChannelHandshakeLimits,
 	/// Channel config which affects behavior during channel lifetime.
 	pub channel_options: ChannelConfig,
+	/// If a channel is not set to be publicly announced, we reject HTLCs which were set to be
+	/// forwarded over the channel if this is set to false. This prevents use from taking on
+	/// HTLC-forwarding risk when we intend to run as a node which is not online reliably.
+	///
+	/// For nodes which are not online reliably, you should set all channels to *not* be announced
+	/// (using [`ChannelConfig::announced_channel`] and
+	/// [`ChannelHandshakeLimits::force_announced_channel_preference`]) and set this to false to
+	/// ensure you are not exposed to any forwarding risk.
+	///
+	/// Note that because you cannot change a channel's announced state after creation, there is no
+	/// way to disable forwarding on public channels retroactively. Thus, in order to change a node
+	/// from a publicly-announced forwarding node to a private non-forwarding node you must close
+	/// all your channels and open new ones. For privacy, you should also change your node_id
+	/// (swapping all private and public key material for new ones) at that time.
+	///
+	/// Default value: false.
+	pub accept_forwards_to_priv_channels: bool,
 }
 
 impl Default for UserConfig {
@@ -241,6 +261,7 @@ impl Default for UserConfig {
 			own_channel_config: ChannelHandshakeConfig::default(),
 			peer_channel_config_limits: ChannelHandshakeLimits::default(),
 			channel_options: ChannelConfig::default(),
+			accept_forwards_to_priv_channels: false,
 		}
 	}
 }
