net: respect -onlynet= when making outbound connections

Do not make outbound connections to hosts which belong to a network which is restricted by `-onlynet`. This applies to hosts that are automatically chosen to connect to and to anchors. This does not apply to hosts given to `-connect`, `-addnode`, `addnode` RPC, dns seeds, `-seednodes`. Fixes https://github.com/bitcoin/bitcoin/issues/13378 Fixes https://github.com/bitcoin/bitcoin/issues/22647 Supersedes https://github.com/bitcoin/bitcoin/pull/22651
2025-11-12 06:58:57 +01:00 · 2021-08-30 14:33:29 +02:00
parent 9394964f6b
commit e53a8505db
6 changed files with 45 additions and 25 deletions
--- a/src/torcontrol.cpp
+++ b/src/torcontrol.cpp
@@ -380,7 +380,22 @@ void TorController::auth_cb(TorControlConnection& _conn, const TorControlReply&
            CService resolved(LookupNumeric("127.0.0.1", 9050));
            proxyType addrOnion = proxyType(resolved, true);
            SetProxy(NET_ONION, addrOnion);
-            SetReachable(NET_ONION, true);
+
+            const auto onlynets = gArgs.GetArgs("-onlynet");
+
+            const bool onion_allowed_by_onlynet{
+                !gArgs.IsArgSet("-onlynet") ||
+                std::any_of(onlynets.begin(), onlynets.end(), [](const auto& n) {
+                    return ParseNetwork(n) == NET_ONION;
+                })};
+
+            if (onion_allowed_by_onlynet) {
+                // If NET_ONION is reachable, then the below is a noop.
+                //
+                // If NET_ONION is not reachable, then none of -proxy or -onion was given.
+                // Since we are here, then -torcontrol and -torpassword were given.
+                SetReachable(NET_ONION, true);
+            }
        }

        // Finally - now create the service