mirror of
https://github.com/bitcoin/bitcoin.git
synced 2026-01-21 15:50:07 +01:00
796f18e559
8937221304doc: add release notes for 29415 (Vasil Dimov)582016fa5ftest: add unit test for the private broadcast storage (Vasil Dimov)e74d54e048test: add functional test for private broadcast (Vasil Dimov)818b780a05rpc: use private broadcast from sendrawtransaction RPC if -privatebroadcast is ON (Vasil Dimov)eab595f9cfnet_processing: retry private broadcast (Vasil Dimov)37b79f9c39net_processing: stop private broadcast of a transaction after round-trip (Vasil Dimov)2de53eee74net_processing: handle ConnectionType::PRIVATE_BROADCAST connections (Vasil Dimov)30a9853ad3net_processing: move a debug check in VERACK processing earlier (Vasil Dimov)d1092e5d48net_processing: modernize PushNodeVersion() (Vasil Dimov)9937a12a2fnet_processing: move the debug log about receiving VERSION earlier (Vasil Dimov)a098f37b9enet_processing: reorder the code that handles the VERSION message (Vasil Dimov)679ce3a0b8net_processing: store transactions for private broadcast in PeerManager (Vasil Dimov)a3faa6f944node: extend node::TxBroadcast with a 3rd option (Vasil Dimov)95c051e210net_processing: rename RelayTransaction() to better describe what it does (Vasil Dimov)bb49d26032net: implement opening PRIVATE_BROADCAST connections (Vasil Dimov)01dad4efe2net: introduce a new connection type for private broadcast (Vasil Dimov)94aaa5d31binit: introduce a new option to enable/disable private broadcast (Vasil Dimov)d6ee490e0alog: introduce a new category for private broadcast (Vasil Dimov) Pull request description: _Parts of this PR are isolated in independent smaller PRs to ease review:_ * [x] _https://github.com/bitcoin/bitcoin/pull/29420_ * [x] _https://github.com/bitcoin/bitcoin/pull/33454_ * [x] _https://github.com/bitcoin/bitcoin/pull/33567_ * [x] _https://github.com/bitcoin/bitcoin/pull/33793_ --- To improve privacy, broadcast locally submitted transactions (from the `sendrawtransaction` RPC) to the P2P network only via Tor or I2P short-lived connections, or to IPv4/IPv6 peers but through the Tor network. * Introduce a new connection type for private broadcast of transactions with the following properties: * started whenever there are local transactions to be sent * opened to Tor or I2P peers or IPv4/IPv6 via the Tor proxy * opened regardless of max connections limits * after handshake is completed one local transaction is pushed to the peer, `PING` is sent and after receiving `PONG` the connection is closed * ignore all incoming messages after handshake is completed (except `PONG`) * Broadcast transactions submitted via `sendrawtransaction` using this new mechanism, to a few peers. Keep doing this until we receive back this transaction from one of our ordinary peers (this takes about 1 second on mainnet). * The transaction is stored in peerman and does not enter the mempool. * Once we get an `INV` from one of our ordinary peers, then the normal flow executes: we request the transaction with `GETDATA`, receive it with a `TX` message, put it in our mempool and broadcast it to all our existent connections (as if we see it for the first time). * After we receive the full transaction as a `TX` message, in reply to our `GETDATA` request, only then consider the transaction has propagated through the network and remove it from the storage in peerman, ending the private broadcast attempts. The messages exchange should look like this: ``` tx-sender >--- connect -------> tx-recipient tx-sender >--- VERSION -------> tx-recipient (dummy VERSION with no revealing data) tx-sender <--- VERSION -------< tx-recipient tx-sender <--- WTXIDRELAY ----< tx-recipient (maybe) tx-sender <--- SENDADDRV2 ----< tx-recipient (maybe) tx-sender <--- SENDTXRCNCL ---< tx-recipient (maybe) tx-sender <--- VERACK --------< tx-recipient tx-sender >--- VERACK --------> tx-recipient tx-sender >--- INV/TX --------> tx-recipient tx-sender <--- GETDATA/TX ----< tx-recipient tx-sender >--- TX ------------> tx-recipient tx-sender >--- PING ----------> tx-recipient tx-sender <--- PONG ----------< tx-recipient tx-sender disconnects ``` Whenever a new transaction is received from `sendrawtransaction` RPC, the node will send it to a few (`NUM_PRIVATE_BROADCAST_PER_TX`) recipients right away. If after some time we still have not heard anything about the transaction from the network, then it will be sent to 1 more peer (see `PeerManagerImpl::ReattemptPrivateBroadcast()`). A few considerations: * The short-lived private broadcast connections are very cheap and fast wrt network traffic. It is expected that some of those peers could blackhole the transaction. Just one honest/proper peer is enough for successful propagation. * The peers that receive the transaction could deduce that this is initial transaction broadcast from the transaction originator. This is ok, they can't identify the sender. --- <details> <summary>How to test this?</summary> Thank you, @stratospher and @andrewtoth! Start `bitcoind` with `-privatebroadcast=1 -debug=privatebroadcast`. Create a wallet and get a new address, go to the Signet faucet and request some coins to that address: ```bash build/bin/bitcoin-cli -chain="signet" createwallet test build/bin/bitcoin-cli -chain="signet" getnewaddress ``` Get a new address for the test transaction recipient: ```bash build/bin/bitcoin-cli -chain="signet" loadwallet test new_address=$(build/bin/bitcoin-cli -chain="signet" getnewaddress) ``` Create the transaction: ```bash # Option 1: `createrawtransaction` and `signrawtransactionwithwallet`: txid=$(build/bin/bitcoin-cli -chain="signet" listunspent | jq -r '.[0] | .txid') vout=$(build/bin/bitcoin-cli -chain="signet" listunspent | jq -r '.[0] | .vout') echo "txid: $txid" echo "vout: $vout" tx=$(build/bin/bitcoin-cli -chain="signet" createrawtransaction "[{\"txid\": \"$txid\", \"vout\": $vout}]" "[{\"$new_address\": 0.00001000}]" 0 false) echo "tx: $tx" signed_tx=$(build/bin/bitcoin-cli -chain="signet" signrawtransactionwithwallet "$tx" | jq -r '.hex') echo "signed_tx: $signed_tx" # OR Option 2: `walletcreatefundedpsbt` and `walletprocesspsbt`: # This makes it not have to worry about inputs and also automatically sends back change to the wallet. # Start `bitcoind` with `-fallbackfee=0.00003000` for instance for 3 sat/vbyte fee. psbt=$(build/bin/bitcoin-cli -chain="signet" walletcreatefundedpsbt "[]" "[{\"$new_address\": 0.00001000}]" | jq -r '.psbt') echo "psbt: $psbt" signed_tx=$(build/bin/bitcoin-cli -chain="signet" walletprocesspsbt "$psbt" | jq -r '.hex') echo "signed_tx: $signed_tx" ``` Finally, send the transaction: ```bash raw_tx=$(build/bin/bitcoin-cli -chain="signet" sendrawtransaction "$signed_tx") echo "raw_tx: $raw_tx" ``` </details> --- <details> <summary>High-level explanation of the commits</summary> * New logging category and config option to enable private broadcast * `log: introduce a new category for private broadcast` * `init: introduce a new option to enable/disable private broadcast` * Implement the private broadcast connection handling on the `CConnman` side: * `net: introduce a new connection type for private broadcast` * `net: implement opening PRIVATE_BROADCAST connections` * Prepare `BroadcastTransaction()` for private broadcast requests: * `net_processing: rename RelayTransaction to better describe what it does` * `node: extend node::TxBroadcast with a 3rd option` * `net_processing: store transactions for private broadcast in PeerManager` * Implement the private broadcast connection handling on the `PeerManager` side: * `net_processing: reorder the code that handles the VERSION message` * `net_processing: move the debug log about receiving VERSION earlier` * `net_processing: modernize PushNodeVersion()` * `net_processing: move a debug check in VERACK processing earlier` * `net_processing: handle ConnectionType::PRIVATE_BROADCAST connections` * `net_processing: stop private broadcast of a transaction after round-trip` * `net_processing: retry private broadcast` * Engage the new functionality from `sendrawtransaction`: * `rpc: use private broadcast from sendrawtransaction RPC if -privatebroadcast is ON` * New tests: * `test: add functional test for private broadcast` * `test: add unit test for the private broadcast storage` </details> --- **This PR would resolve the following issues:** https://github.com/bitcoin/bitcoin/issues/3828 Clients leak IPs if they are recipients of a transaction https://github.com/bitcoin/bitcoin/issues/14692 Can't configure bitocoind to only send tx via Tor but receive clearnet transactions https://github.com/bitcoin/bitcoin/issues/19042 Tor-only transaction broadcast onlynet=onion alternative https://github.com/bitcoin/bitcoin/issues/24557 Option for receive events with all networks, but send transactions and/or blocks only with anonymous network[s]? https://github.com/bitcoin/bitcoin/issues/25450 Ability to broadcast wallet transactions only via dedicated oneshot Tor connections https://github.com/bitcoin/bitcoin/issues/32235 Tor: TX circuit isolation **Issues that are related, but (maybe?) not to be resolved by this PR:** https://github.com/bitcoin/bitcoin/issues/21876 Broadcast a transaction to specific nodes https://github.com/bitcoin/bitcoin/issues/28636 new RPC: sendrawtransactiontopeer --- Further extensions: * Have the wallet do the private broadcast as well, https://github.com/bitcoin/bitcoin/issues/11887 would have to be resolved. * Have the `submitpackage` RPC do the private broadcast as well, [draft diff in the comment below](https://github.com/bitcoin/bitcoin/pull/29415#pullrequestreview-2972293733), thanks ismaelsadeeq! * Add some stats via RPC, so that the user can better monitor what is going on during and after the broadcast. Currently this can be done via the debug log, but that is not convenient. * Make the private broadcast storage, currently in peerman, persistent over node restarts. * Add (optional) random delay before starting to broadcast the transaction in order to avoid correlating unrelated transactions based on the time when they were broadcast. Suggested independently of this PR [here](https://github.com/bitcoin/bitcoin/issues/30471). * Consider periodically sending transactions that did not originate from the node as decoy, discussed [here](https://github.com/bitcoin/bitcoin/pull/29415#discussion_r2035414972). * Consider waiting for peer's FEEFILTER message and if the transaction that was sent to the peer is below that threshold, then assume the peer is going to drop it. Then use this knowledge to retry more aggressively with another peer, instead of the current 10 min. See [comment below](https://github.com/bitcoin/bitcoin/pull/29415#issuecomment-3258611648). * It may make sense to be able to override the default policy -- eg so submitrawtransaction can go straight to the mempool and relay, even if txs are normally privately relayed. See [comment below](https://github.com/bitcoin/bitcoin/pull/29415#issuecomment-3427086681). * As a side effect we have a new metric available - the time it takes for a transaction to reach a random node in the network (from the point of view of the private broadcast recipient the tx originator is a random node somewhere in the network). This can be useful for monitoring, unrelated to privacy characteristics of this feature. --- _A previous incarnation of this can be found at https://github.com/bitcoin/bitcoin/pull/27509. It puts the transaction in the mempool and (tries to) hide it from the outside observers. This turned out to be too error prone or maybe even impossible._ ACKs for top commit: l0rinc: code review diff ACK8937221304andrewtoth: ACK8937221304pinheadmz: ACK8937221304w0xlt: ACK8937221304with nit https://github.com/bitcoin/bitcoin/pull/29415#discussion_r2654849875 mzumsande: re-ACK8937221304Tree-SHA512: d51dadc865c2eb080c903cbe2f669e69a967e5f9fc64e9a20a68f39a67bf0db6ac2ad682af7fa24ef9f0942a41c89959341a16ba7b616475e1c5ab8e563b9b96
Functional tests
Writing Functional Tests
Example test
The file test/functional/example_test.py is a heavily commented example of a test case that uses both the RPC and P2P interfaces. If you are writing your first test, copy that file and modify to fit your needs.
Coverage
Assuming the build directory is build,
running build/test/functional/test_runner.py with the --coverage argument tracks which RPCs are
called by the tests and prints a report of uncovered RPCs in the summary. This
can be used (along with the --extended argument) to find out which RPCs we
don't have test cases for.
Style guidelines
- Where possible, try to adhere to PEP-8 guidelines
- Use a python linter like flake8 before submitting PRs to catch common style nits (eg trailing whitespace, unused imports, etc)
- The oldest supported Python version is specified in doc/dependencies.md. Consider using pyenv, which checks .python-version, to prevent accidentally introducing modern syntax from an unsupported Python version. The CI linter job also checks this, but possibly not in all cases.
- See the python lint script that checks for violations that could lead to bugs and issues in the test code.
- Use type hints in your code to improve code readability and to detect possible bugs earlier.
- Avoid wildcard imports.
- If more than one name from a module is needed, use lexicographically sorted multi-line imports in order to reduce the possibility of potential merge conflicts.
- Use a module-level docstring to describe what the test is testing, and how it is testing it.
- When subclassing the BitcoinTestFramework, place overrides for the
set_test_params(),add_options()andsetup_xxxx()methods at the top of the subclass, then locally-defined helper methods, then therun_test()method. - Use
f'{x}'for string formatting in preference to'{}'.format(x)or'%s' % x. - Use
platform.system()for detecting the running operating system andos.nameto check whether it's a POSIX system (see also theskip_if_platform_not_{linux,posix}methods in theBitcoinTestFrameworkclass, which can be used to skip a whole test depending on the platform).
Naming guidelines
- Name the test
<area>_test.py, where area can be one of the following:featurefor tests for full features that aren't wallet/mining/mempool, egfeature_rbf.pyinterfacefor tests for other interfaces (REST, ZMQ, etc), eginterface_rest.pymempoolfor tests for mempool behaviour, egmempool_reorg.pyminingfor tests for mining features, egmining_prioritisetransaction.pyp2pfor tests that explicitly test the p2p interface, egp2p_disconnect_ban.pyrpcfor tests for individual RPC methods or features, egrpc_listtransactions.pytoolfor tests for tools, egtool_wallet.pywalletfor tests for wallet features, egwallet_keypool.py
- Use an underscore to separate words
- exception: for tests for specific RPCs or command line options which don't include underscores, name the test after the exact RPC or argument name, eg
rpc_decodescript.py, notrpc_decode_script.py
- exception: for tests for specific RPCs or command line options which don't include underscores, name the test after the exact RPC or argument name, eg
- Don't use the redundant word
testin the name, eginterface_zmq.py, notinterface_zmq_test.py
General test-writing advice
- Instead of inline comments or no test documentation at all, log the comments to the test log, e.g.
self.log.info('Create enough transactions to fill a block'). Logs make the test code easier to read and the test logic easier to debug. - Set
self.num_nodesto the minimum number of nodes necessary for the test. Having additional unrequired nodes adds to the execution time of the test as well as memory/CPU/disk requirements (which is important when running tests in parallel). - Avoid stop-starting the nodes multiple times during the test if possible. A stop-start takes several seconds, so doing it several times blows up the runtime of the test.
- Set the
self.setup_clean_chainvariable inset_test_params()toTrueto initialize an empty blockchain and start from the Genesis block, rather than load a premined blockchain from cache with the default value ofFalse. The cached data directories contain a 200-block pre-mined blockchain with the spendable mining rewards being split between four nodes. Each node has 25 mature block subsidies (25x50=1250 BTC) in its wallet. Using them is much more efficient than mining blocks in your test. - When calling RPCs with lots of arguments, consider using named keyword arguments instead of positional arguments to make the intent of the call clear to readers.
- Many of the core test framework classes such as
CBlockandCTransactiondon't allow new attributes to be added to their objects at runtime like typical Python objects allow. This helps prevent unpredictable side effects from typographical errors or usage of the objects outside of their intended purpose.
RPC and P2P definitions
Test writers may find it helpful to refer to the definitions for the RPC and P2P messages. These can be found in the following source files:
/src/rpc/*for RPCs/src/wallet/rpc*for wallet RPCsProcessMessage()in/src/net_processing.cppfor parsing P2P messages
Using the P2P interface
-
P2Ps can be used to test specific P2P protocol behavior. p2p.py contains test framework p2p objects and messages.py contains all the definitions for objects passed over the network (CBlock,CTransaction, etc, along with the network-level wrappers for them,msg_block,msg_tx, etc). -
P2P tests have two threads. One thread handles all network communication with the bitcoind(s) being tested in a callback-based event loop; the other implements the test logic.
-
P2PConnectionis the class used to connect to a bitcoind.P2PInterfacecontains the higher level logic for processing P2P payloads and connecting to the Bitcoin Core node application logic. For custom behaviour, subclass the P2PInterface object and override the callback methods.
P2PConnections can be used as such:
p2p_conn = node.add_p2p_connection(P2PInterface())
p2p_conn.send_and_ping(msg)
They can also be referenced by indexing into a TestNode's p2ps list, which
contains the list of test framework p2p objects connected to itself
(it does not include any TestNodes):
node.p2ps[0].sync_with_ping()
More examples can be found in p2p_unrequested_blocks.py, p2p_compactblocks.py.
Prototyping tests
The TestShell class exposes the BitcoinTestFramework
functionality to interactive Python3 environments and can be used to prototype
tests. This may be especially useful in a REPL environment with session logging
utilities, such as
IPython.
The logs of such interactive sessions can later be adapted into permanent test
cases.
Test framework modules
The following are useful modules for test developers. They are located in test/functional/test_framework/.
authproxy.py
Taken from the python-bitcoinrpc repository.
test_framework.py
Base class for functional tests.
util.py
Generally useful functions.
p2p.py
Test objects for interacting with a bitcoind node over the p2p interface.
script.py
Utilities for manipulating transaction scripts (originally from python-bitcoinlib)
key.py
Test-only secp256k1 elliptic curve implementation
blocktools.py
Helper functions for creating blocks and transactions.
Benchmarking with perf
An easy way to profile node performance during functional tests is provided
for Linux platforms using perf.
Perf will sample the running node and will generate profile data in the node's
datadir. The profile data can then be presented using perf report or a graphical
tool like hotspot.
There are two ways of invoking perf: one is to use the --perf flag when
running tests, which will profile each node during the entire test run: perf
begins to profile when the node starts and ends when it shuts down. The other
way is the use the profile_with_perf context manager, e.g.
with node.profile_with_perf("send-big-msgs"):
# Perform activity on the node you're interested in profiling, e.g.:
for _ in range(10000):
node.p2ps[0].send_without_ping(some_large_message)
To see useful textual output, run
perf report -i /path/to/datadir/send-big-msgs.perf.data.xxxx --stdio | c++filt | less
See also:
- Installing perf
- Perf examples
- Hotspot: a GUI for perf output analysis