- added more debug info to p3LinkMgr

- added check for banned IP from DHT at connection time
- added regular removal of banned IPs from friend IP lists
- increased time of banned IP storage to 1 week (previously 6 hours)
- added save for banned IPs to keep them after restart (in bdfilter.cc) to file bdfilter.txt (can be manually updated)
- changed mFiltered into a std::map for increased search efficiency
- added secondary check of cert ID at connection time.-This line, and those below, will be ignored--

M    libretroshare/src/pqi/p3netmgr.cc
M    libretroshare/src/pqi/pqimonitor.h
M    libretroshare/src/pqi/p3peermgr.cc
M    libretroshare/src/pqi/p3linkmgr.h
M    libretroshare/src/pqi/pqissllistener.cc
M    libretroshare/src/pqi/p3peermgr.h
M    libretroshare/src/pqi/p3linkmgr.cc
M    libretroshare/src/pqi/pqiperson.cc
M    libretroshare/src/pqi/pqissl.cc
M    libretroshare/src/rsserver/rsinit.cc
M    libretroshare/src/dht/p3bitdht_relay.cc
M    libretroshare/src/dht/p3bitdht.cc
M    libretroshare/src/dht/p3bitdht.h
M    libretroshare/src/retroshare/rsdht.h
M    libbitdht/src/udp/udpbitdht.h
M    libbitdht/src/udp/udpbitdht.cc
M    libbitdht/src/bitdht/bdmanager.cc
M    libbitdht/src/bitdht/bdmanager.h
M    libbitdht/src/bitdht/bdnode.h
M    libbitdht/src/bitdht/bdfilter.h
M    libbitdht/src/bitdht/bdfilter.cc
M    libbitdht/src/bitdht/bdnode.cc
M    libbitdht/src/bitdht/bdstore.h


git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@8289 b45a01b8-16f6-495d-af2f-9b41ad6348cc

libretroshare/src/dht/p3bitdht.cc

@@ -82,7 +82,7 @@ virtual int dhtInfoCallback(const bdId *id, uint32_t type, uint32_t flags, std::
 
 
 p3BitDht::p3BitDht(const RsPeerId& id, pqiConnectCb *cb, p3NetMgr *nm, 
-			UdpStack *udpstack, std::string bootstrapfile)
+            UdpStack *udpstack, std::string bootstrapfile,const std::string& filteredipfile)
 	:p3Config(), pqiNetAssistConnect(id, cb), mNetMgr(nm), dhtMtx("p3BitDht")
 {
 	mDhtStunner = NULL;
@@ -129,7 +129,7 @@ p3BitDht::p3BitDht(const RsPeerId& id, pqiConnectCb *cb, p3NetMgr *nm,
 #endif
 
 	/* create dht */
-	mUdpBitDht = new UdpBitDht(udpstack, &mOwnDhtId, dhtVersion, bootstrapfile, mDhtFns);
+    mUdpBitDht = new UdpBitDht(udpstack, &mOwnDhtId, dhtVersion, bootstrapfile, filteredipfile,mDhtFns);
 	udpstack->addReceiver(mUdpBitDht);
 
 	/* setup callback to here */
@@ -373,7 +373,18 @@ bool 	p3BitDht::getExternalInterface(struct sockaddr_storage &/*raddr*/,
 #endif
 
 
-	return false;
+    return false;
+}
+
+bool p3BitDht::isAddressBanned(const sockaddr_storage &raddr)
+{
+    if(raddr.ss_family == AF_INET6)	// the DHT does not handle INET6 addresses yet.
+        return false ;
+
+    if(raddr.ss_family == AF_INET)
+        return mUdpBitDht->isAddressBanned((sockaddr_in&)raddr) ;
+
+    return false ;
 }
 
 

libretroshare/src/dht/p3bitdht.h

@@ -143,7 +143,7 @@ class p3BitDht: public p3Config, public pqiNetAssistConnect, public RsDht
 {
 	public:
 	p3BitDht(const RsPeerId& id, pqiConnectCb *cb, p3NetMgr *nm,
-		UdpStack *udpstack, std::string bootstrapfile);
+        UdpStack *udpstack, std::string bootstrapfile, const std::string &filteredipfile);
 
 
 virtual	~p3BitDht();
@@ -214,6 +214,7 @@ virtual bool 	getPeerStatus(const RsPeerId& id,
 virtual bool 	getExternalInterface(struct sockaddr_storage &raddr, 
 					uint32_t &mode);
 
+virtual bool	isAddressBanned(const struct sockaddr_storage& raddr) ;
 
 virtual bool    setAttachMode(bool on);
 

libretroshare/src/dht/p3bitdht_relay.cc

@@ -259,7 +259,7 @@ bool p3BitDht::saveList(bool &cleanup, std::list<RsItem *> &saveList)
 
 	config->print(std::cerr, 0);
 
-	saveList.push_back(config);
+    saveList.push_back(config);
 
 	return true;
 }

libretroshare/src/pqi/p3linkmgr.cc

@@ -47,6 +47,7 @@ const int p3connectzone = 3431;
 
 #include "retroshare/rsiface.h"
 #include "retroshare/rspeers.h"
+#include "retroshare/rsdht.h"
 
 /* Network setup States */
 
@@ -828,9 +829,9 @@ bool p3LinkMgrIMPL::connectResult(const RsPeerId &id, bool success, bool isIncom
 		if (success)
 		{
 			/* update address (should also come through from DISC) */
-#ifdef LINKMGR_DEBUG_CONNFAIL
+#ifdef LINKMGR_DEBUG
 			std::cerr << "p3LinkMgrIMPL::connectResult() Connect!: id: " << id << std::endl;
-			std::cerr << " Success: " << success << " flags: " << flags << std::endl;
+            std::cerr << " Success: " << success << " flags: " << flags << ", remote IP = " <<  sockaddr_storage_iptostring(remote_peer_address) << std::endl;
 #endif
 
 #ifdef LINKMGR_DEBUG
@@ -1730,7 +1731,11 @@ bool  p3LinkMgrIMPL::locked_CheckPotentialAddr(const struct sockaddr_storage &ad
 
 	std::list<struct sockaddr_storage>::const_iterator it;
 	for(it = mBannedIpList.begin(); it != mBannedIpList.end(); ++it)
-	{
+    {
+#ifdef LINKMGR_DEBUG
+        std::cerr << "Checking IP w.r.t. banned IP " << sockaddr_storage_iptostring(*it) << std::endl;
+#endif
+
 		if (sockaddr_storage_sameip(*it, addr))
 		{
 #ifdef LINKMGR_DEBUG
@@ -1741,6 +1746,15 @@ bool  p3LinkMgrIMPL::locked_CheckPotentialAddr(const struct sockaddr_storage &ad
 		}
 	}
 
+    if(rsDht != NULL && rsDht->isAddressBanned(addr))
+    {
+#ifdef LINKMGR_DEBUG
+            std::cerr << "p3LinkMgrIMPL::locked_CheckPotentialAddr() adding to local Banned IPList";
+            std::cerr << std::endl;
+#endif
+            mBannedIpList.push_back(addr) ;
+            return false ;
+    }
 
 	/* if it is an external address, we'll accept it.
 	 * - even it is meant to be a local address.
@@ -1891,8 +1905,7 @@ void  p3LinkMgrIMPL::locked_ConnectAttempt_HistoricalAddresses(peerConnectState
 	std::cerr << "p3LinkMgrIMPL::locked_ConnectAttempt_HistoricalAddresses()";
 	std::cerr << std::endl;
 #endif
-	for(ait = ipAddrs.mLocal.mAddrs.begin(); 
-		ait != ipAddrs.mLocal.mAddrs.end(); ++ait)
+    for(ait = ipAddrs.mLocal.mAddrs.begin();  ait != ipAddrs.mLocal.mAddrs.end(); ++ait)
 	{
 		if (locked_CheckPotentialAddr(ait->mAddr, now - ait->mSeenTime))
 		{
@@ -2235,7 +2248,14 @@ void p3LinkMgrIMPL::printPeerLists(std::ostream &out)
                 }
         }
 
-        return;
+    return;
+}
+
+bool p3LinkMgrIMPL::checkPotentialAddr(const sockaddr_storage &addr, time_t age)
+{
+    RsStackMutex stack(mLinkMtx); /****** STACK LOCK MUTEX *******/
+
+    return locked_CheckPotentialAddr(addr,age) ;
 }
 
 

libretroshare/src/pqi/p3linkmgr.h

@@ -186,6 +186,7 @@ virtual bool 	getLocalAddress(struct sockaddr_storage &addr) = 0;
 virtual void	getFriendList(std::list<RsPeerId> &ssl_peers) = 0; // ONLY used by p3peers.cc USE p3PeerMgr instead.
 virtual bool	getFriendNetStatus(const RsPeerId &id, peerConnectState &state) = 0; // ONLY used by p3peers.cc
 
+virtual bool 	checkPotentialAddr(const struct sockaddr_storage &addr, time_t age)=0;
 
 	/************* DEPRECIATED FUNCTIONS (TO REMOVE) ********/
 virtual int 	addFriend(const RsPeerId &ssl_id, bool isVisible) = 0;
@@ -269,6 +270,7 @@ int 	removeFriend(const RsPeerId &ssl_id);
 
 void 	printPeerLists(std::ostream &out);
 
+virtual bool checkPotentialAddr(const struct sockaddr_storage &addr, time_t age);
 protected:
 	/* THESE CAN PROBABLY BE REMOVED */
 //bool	shutdown(); /* blocking shutdown call */

libretroshare/src/pqi/p3netmgr.cc

@@ -1126,12 +1126,12 @@ bool    p3NetMgrIMPL::setNetworkMode(uint32_t netMode)
 
 		oldNetMode = mNetMode;
 
-//#ifdef NETMGR_DEBUG
-		std::cerr << "p3NetMgrIMPL::setNetworkMode()";
-		std::cerr << " Existing netMode: " << mNetMode;
-		std::cerr << " Input netMode: " << netMode;
-		std::cerr << std::endl;
-//#endif
+#ifdef NETMGR_DEBUG
+        std::cerr << "p3NetMgrIMPL::setNetworkMode()";
+        std::cerr << " Existing netMode: " << mNetMode;
+        std::cerr << " Input netMode: " << netMode;
+        std::cerr << std::endl;
+#endif
 		mNetMode &= ~(RS_NET_MODE_TRYMODE);
 
 		switch(netMode & RS_NET_MODE_ACTUAL)
@@ -1169,7 +1169,7 @@ bool    p3NetMgrIMPL::setVisState(uint16_t vs_disc, uint16_t vs_dht)
 {
 	RsStackMutex stack(mNetMtx); /****** STACK LOCK MUTEX *******/
 	mVsDisc = vs_disc;
-	mVsDht = vs_dht;
+    mVsDht = vs_dht;
 
 	/* if we've started up - then tweak Dht On/Off */
 	if (mNetStatus != RS_NET_UNKNOWN)

libretroshare/src/pqi/p3peermgr.cc

@@ -275,8 +275,9 @@ bool p3PeerMgrIMPL::setOwnVisState(uint16_t vs_disc, uint16_t vs_dht)
 void p3PeerMgrIMPL::tick()
 {
 
-	static const time_t INTERVAL_BETWEEN_LOCATION_CLEANING = 1860 ; // Remove unused locations every 31 minutes.
-	static time_t last_friends_check = time(NULL) + INTERVAL_BETWEEN_LOCATION_CLEANING; // first cleaning after 1 hour.
+    static const time_t INTERVAL_BETWEEN_LOCATION_CLEANING = 600 ; // Remove unused locations and clean IPs every 10 minutes.
+
+    static time_t last_friends_check = time(NULL) + INTERVAL_BETWEEN_LOCATION_CLEANING; // first cleaning after 1 hour.
 
 	time_t now = time(NULL) ;
 
@@ -288,7 +289,13 @@ void p3PeerMgrIMPL::tick()
 
 		rslog(RSL_WARNING, p3peermgrzone, "p3PeerMgr::tick() removeUnusedLocations()");
 
-		removeUnusedLocations() ;
+        removeUnusedLocations() ;
+
+#ifdef PEER_DEBUG
+        std::cerr << "p3PeerMgrIMPL::tick(): cleaning banned/old IPs." << std::endl ;
+#endif
+        removeBannedIps() ;
+
 		last_friends_check = now ;
 	}
 }
@@ -1699,8 +1706,8 @@ bool  p3PeerMgrIMPL::loadList(std::list<RsItem *>& load)
 #endif
 				/* add ownConfig */
 				setOwnNetworkMode(pitem->netMode);
-				setOwnVisState(pitem->vs_disc, pitem->vs_dht);
-				
+                setOwnVisState(pitem->vs_disc, pitem->vs_dht);
+
 				mOwnState.gpg_id = AuthGPG::getAuthGPG()->getGPGOwnId();
 				mOwnState.location = AuthSSL::getAuthSSL()->getOwnLocation();
 			}
@@ -1727,7 +1734,7 @@ bool  p3PeerMgrIMPL::loadList(std::list<RsItem *>& load)
 			else
 			{
 				setLocalAddress(peer_id, pitem->localAddrV4.addr);
-				setExtAddress(peer_id, pitem->extAddrV4.addr);
+                setExtAddress(peer_id, pitem->extAddrV4.addr);
 				setDynDNS (peer_id, pitem->dyndns);
 
 				/* convert addresses */
@@ -2233,8 +2240,57 @@ bool	p3PeerMgrIMPL::getAssociatedPeers(const RsPgpId &gpg_id, std::list<RsPeerId
 	return (count > 0);
 }
 
+// goes through the list of known friend IPs and remove the ones that are banned by p3LinkMgr.
 
+static bool cleanIpList(std::list<pqiIpAddress>& lst,const RsPeerId& pid,p3LinkMgr *link_mgr)
+{
+    bool changed = false ;
+    time_t now = time(NULL) ;
 
+    for(std::list<pqiIpAddress>::iterator it2(lst.begin());it2 != lst.end();)
+    {
+#ifdef P3PEERS_DEBUG
+      std::cerr << "Checking IP address " << sockaddr_storage_iptostring( (*it2).mAddr) << " for peer " << pid << ", age = " << now - (*it2).mSeenTime << std::endl;
+#endif
+        if(!link_mgr->checkPotentialAddr( (*it2).mAddr,now - (*it2).mSeenTime))
+        {
+#ifdef P3PEERS_DEBUG
+            std::cerr << "  ==> Removing Banned/old IP address " << sockaddr_storage_iptostring( (*it2).mAddr) << " from peer " << pid << ", age = " << now - (*it2).mSeenTime << std::endl;
+#endif
+
+            std::list<pqiIpAddress>::iterator ittmp = it2 ;
+            ++ittmp ;
+            lst.erase(it2) ;
+            it2 = ittmp ;
+
+            changed = true ;
+        }
+        else
+            ++it2 ;
+    }
+
+    return changed ;
+}
+
+bool p3PeerMgrIMPL::removeBannedIps()
+{
+    RsStackMutex stack(mPeerMtx); /****** STACK LOCK MUTEX *******/
+
+    bool changed = false ;
+    for( std::map<RsPeerId, peerState>::iterator it = mFriendList.begin(); it != mFriendList.end(); ++it)
+    {
+        changed = changed || cleanIpList(it->second.ipAddrs.mExt.mAddrs,it->first,mLinkMgr) ;
+        changed = changed || cleanIpList(it->second.ipAddrs.mLocal.mAddrs,it->first,mLinkMgr) ;
+    }
+
+    changed = changed || cleanIpList(mOwnState.ipAddrs.mExt.mAddrs,mOwnState.id,mLinkMgr) ;
+    changed = changed || cleanIpList(mOwnState.ipAddrs.mLocal.mAddrs,mOwnState.id,mLinkMgr) ;
+
+    if(changed)
+        IndicateConfigChanged();
+
+    return true ;
+}
 
 // /* This only removes SSL certs, that are old... Can end up with no Certs per GPG Id 
 //  * We are removing the concept of a "DummyId" - There is no need for it.
@@ -2268,7 +2324,7 @@ bool p3PeerMgrIMPL::removeUnusedLocations()
 				toRemove.push_back(it->first);
 
 #ifdef P3PEERS_DEBUG
-				std::cerr << "p3PeerMgr::removeUnusedLocations() removing Old SSL Id: " << it->first << std::endl;
+                std::cerr << "p3PeerMgr::removeUnusedLocations() removing Old SSL Id: " << it->first << std::endl;
 #endif
 				
 			}

libretroshare/src/pqi/p3peermgr.h

@@ -325,12 +325,11 @@ int 	getConnectAddresses(const RsPeerId &id,
 				struct sockaddr_storage &lAddr, struct sockaddr_storage &eAddr, 
 				pqiIpAddrSet &histAddrs, std::string &dyndns);
 
-
-
 protected:
 	/* Internal Functions */
 
 bool 	removeUnusedLocations();
+bool 	removeBannedIps();
 
 void    printPeerLists(std::ostream &out);
 

libretroshare/src/pqi/pqimonitor.h

@@ -161,6 +161,7 @@ virtual void    peerConnectRequest(const RsPeerId& id, const struct sockaddr_sto
 			const struct sockaddr_storage &proxyaddr,  const struct sockaddr_storage &srcaddr,  
                         uint32_t source, uint32_t flags, uint32_t delay, uint32_t bandwidth) = 0;
 
+
 //virtual void	stunStatus(std::string id, const struct sockaddr_storage &raddr, uint32_t type, uint32_t flags) = 0;
 };
 

libretroshare/src/pqi/pqiperson.cc

@@ -216,7 +216,11 @@ int	pqiperson::tick()
 // - Actually, now we have - must store and process later.
 int 	pqiperson::notifyEvent(NetInterface *ni, int newState, const struct sockaddr_storage &remote_peer_address)
 {
-	if (mPersonMtx.trylock())
+#ifdef PERSON_DEBUG
+    std::cerr << "pqiperson::notifyEvent() adding event to Queue. newState=" << newState << " from IP = " << sockaddr_storage_tostring(remote_peer_address) << std::endl;
+#endif
+
+    if (mPersonMtx.trylock())
 	{
 		handleNotifyEvent_locked(ni, newState, remote_peer_address);
 
@@ -225,7 +229,6 @@ int 	pqiperson::notifyEvent(NetInterface *ni, int newState, const struct sockadd
 		return 1;
 	}
 
-
 	RsStackMutex stack(mNotifyMtx); /**** LOCK MUTEX ****/
 
 	mNotifyQueue.push_back(NotifyData(ni, newState, remote_peer_address));

libretroshare/src/pqi/pqissl.cc

@@ -1306,7 +1306,7 @@ int 	pqissl::Authorise_SSL_Connection()
 	// 	which could be 
 	//      (pqissl's case) sslcert->serveraddr or sslcert->localaddr.
 
-	AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert);
+    bool res = AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert);
 	bool certCorrect = true; /* WE know it okay already! */
 
 	// check it's the right one.
@@ -1315,6 +1315,7 @@ int 	pqissl::Authorise_SSL_Connection()
 		// then okay...
 		rslog(RSL_WARNING, pqisslzone, "pqissl::Authorise_SSL_Connection() Accepting Conn. Peer: " + PeerId().toStdString());
 
+        //std::cerr << "pqissl::Authorise_SSL_Connection(): accepting connection from " << sockaddr_storage_iptostring(remote_addr) << std::endl;
 		accept_locked(ssl_connection, sockfd, remote_addr);
 		return 1;
 	}

libretroshare/src/pqi/pqissllistener.cc

@@ -45,6 +45,7 @@ const int pqissllistenzone = 49787;
  * #define OPEN_UNIVERSAL_PORT 1
  */
 
+//#define DEBUG_LISTENNER
 #define OPEN_UNIVERSAL_PORT 1
 
 /************************ PQI SSL LISTEN BASE ****************************
@@ -373,25 +374,31 @@ int	pqissllistenbase::acceptconnection()
 
 	SSL_set_fd(incoming_connexion_info.ssl, fd);
 
-	return continueSSL(incoming_connexion_info, true); // continue and save if incomplete.
+    return continueSSL(incoming_connexion_info, true); // continue and save if incomplete.
 }
 
 int	pqissllistenbase::continueSSL(IncomingSSLInfo& incoming_connexion_info, bool addin)
 {
 	// attempt the accept again.
-	int fd =  SSL_get_fd(incoming_connexion_info.ssl);
+    int fd =  SSL_get_fd(incoming_connexion_info.ssl);
 
-	// clear the connection info that will be filled in by the callback.
-	//
-	AuthSSL::getAuthSSL()->setCurrentConnectionAttemptInfo(RsPgpId(),RsPeerId(),std::string()) ;
+    AuthSSL::getAuthSSL()->setCurrentConnectionAttemptInfo(RsPgpId(),RsPeerId(),std::string()) ;
+    int err = SSL_accept(incoming_connexion_info.ssl);
 
-	int err = SSL_accept(incoming_connexion_info.ssl);
+    // Now grab the connection info that was filled in by the callback.
+    // In the case the callback did not succeed the SSL certificate will not be accessible
+    // from SSL_get_peer_certificate, so we need to get it from the callback system.
+    //
+    AuthSSL::getAuthSSL()->getCurrentConnectionAttemptInfo(incoming_connexion_info.gpgid,incoming_connexion_info.sslid,incoming_connexion_info.sslcn) ;
 
-	// No grab the connection info that was filled in by the callback.
-	//
-	AuthSSL::getAuthSSL()->getCurrentConnectionAttemptInfo(incoming_connexion_info.gpgid,incoming_connexion_info.sslid,incoming_connexion_info.sslcn) ;
+#ifdef DEBUG_LISTENNER
+    std::cerr << "Info from callback: " << std::endl;
+        std::cerr << "  Got PGP Id = " << incoming_connexion_info.gpgid << std::endl;
+        std::cerr << "  Got SSL Id = " << incoming_connexion_info.sslid << std::endl;
+        std::cerr << "  Got SSL CN = " << incoming_connexion_info.sslcn << std::endl;
+#endif
 
-	if (err <= 0)
+    if (err <= 0)
 	{
 		int ssl_err = SSL_get_error(incoming_connexion_info.ssl, err);
 		int err_err = ERR_get_error();
@@ -445,8 +452,35 @@ int	pqissllistenbase::continueSSL(IncomingSSLInfo& incoming_connexion_info, bool
 
 		// failure -1, pending 0, sucess 1.
 		return -1;
-	}
-	
+    }
+
+    // Now grab the connection info from the SSL itself, because the callback info might be
+    // tempered due to multiple connection attempts at once.
+    //
+    X509 *x509 = SSL_get_peer_certificate(incoming_connexion_info.ssl) ;
+
+#ifdef DEBUG_LISTENNER
+    std::cerr << "Info from certificate: " << std::endl;
+#endif
+    if(x509 != NULL)
+    {
+        incoming_connexion_info.gpgid = RsPgpId(std::string(getX509CNString(x509->cert_info->issuer)));
+        incoming_connexion_info.sslcn = getX509CNString(x509->cert_info->subject);
+
+        getX509id(x509,incoming_connexion_info.sslid);
+
+#ifdef DEBUG_LISTENNER
+        std::cerr << "  Got PGP Id = " << incoming_connexion_info.gpgid << std::endl;
+        std::cerr << "  Got SSL Id = " << incoming_connexion_info.sslid << std::endl;
+        std::cerr << "  Got SSL CN = " << incoming_connexion_info.sslcn << std::endl;
+#endif
+    }
+#ifdef DEBUG_LISTENNER
+    else
+        std::cerr << "  no info." << std::endl;
+#endif
+
+
 	// if it succeeds
 	if (0 < completeConnection(fd, incoming_connexion_info))
 	{
@@ -888,6 +922,18 @@ int pqissllistener::finaliseConnection(int fd, SSL *ssl, const RsPeerId& peerId,
 	out += "\npqissllistener => Passing to pqissl module!";
 	pqioutput(PQL_WARNING, pqissllistenzone, out);
 
+    std::string addrstring = sockaddr_storage_tostring(remote_addr);
+
+    if(!strncmp(addrstring.c_str(),"IPv4=194.228",12))
+        std::cerr << "Caught connection from bad address " << addrstring << " for peer ID " << peerId << std::endl;
+
+    if(!strncmp(addrstring.c_str(),"IPv4=217.66",11))
+        std::cerr << "Caught connection from bad address " << addrstring << " for peer ID " << peerId << std::endl;
+
+    if(!strncmp(addrstring.c_str(),"IPv4=194.199",12))
+        std::cerr << "Caught connection from bad address " << addrstring << std::endl;
+    std::cerr << "pqissllistenner::finaliseConnection() connected to " << sockaddr_storage_tostring(remote_addr) << std::endl;
+
 	// hand off ssl conection.
 	pqissl *pqis = it -> second;
 	pqis -> accept(ssl, fd, remote_addr);

libretroshare/src/retroshare/rsdht.h

@@ -195,6 +195,7 @@ virtual int	setRelayAllowance(int classIdx, uint32_t  count, uint32_t  bandwidth
 	// So we can provide to clients.
 virtual bool    getOwnDhtId(std::string &ownDhtId) = 0;
 
+virtual bool	isAddressBanned(const struct sockaddr_storage& raddr) =0;
 
 #if 0
 virtual std::string getPeerStatusString();

libretroshare/src/rsserver/rsinit.cc

@@ -1079,16 +1079,20 @@ int RsServer::StartupRetroShare()
 #ifdef RS_USE_BITDHT
 
 #define BITDHT_BOOTSTRAP_FILENAME  	"bdboot.txt"
+#define BITDHT_FILTERED_IP_FILENAME  	"bdfilter.txt"
 
 
 	std::string bootstrapfile = rsAccounts->PathAccountDirectory();
 	if (bootstrapfile != "")
-	{
 		bootstrapfile += "/";
-	}
 	bootstrapfile += BITDHT_BOOTSTRAP_FILENAME;
 
-	std::cerr << "Checking for DHT bootstrap file: " << bootstrapfile << std::endl;
+    std::string filteredipfile = rsAccounts->PathAccountDirectory();
+    if (filteredipfile != "")
+        filteredipfile += "/";
+    filteredipfile += BITDHT_FILTERED_IP_FILENAME;
+
+    std::cerr << "Checking for DHT bootstrap file: " << bootstrapfile << std::endl;
 
 	/* check if bootstrap file exists...
 	 * if not... copy from dataDirectory
@@ -1137,7 +1141,7 @@ int RsServer::StartupRetroShare()
 #endif
 
 	// NEXT BITDHT.
-	p3BitDht *mBitDht = new p3BitDht(ownId, mLinkMgr, mNetMgr, mDhtStack, bootstrapfile);
+    p3BitDht *mBitDht = new p3BitDht(ownId, mLinkMgr, mNetMgr, mDhtStack, bootstrapfile, filteredipfile);
 	/* install external Pointer for Interface */
 	rsDht = mBitDht;