- added more debug info to p3LinkMgr

- added check for banned IP from DHT at connection time
- added regular removal of banned IPs from friend IP lists
- increased time of banned IP storage to 1 week (previously 6 hours)
- added save for banned IPs to keep them after restart (in bdfilter.cc) to file bdfilter.txt (can be manually updated)
- changed mFiltered into a std::map for increased search efficiency
- added secondary check of cert ID at connection time.-This line, and those below, will be ignored--

M    libretroshare/src/pqi/p3netmgr.cc
M    libretroshare/src/pqi/pqimonitor.h
M    libretroshare/src/pqi/p3peermgr.cc
M    libretroshare/src/pqi/p3linkmgr.h
M    libretroshare/src/pqi/pqissllistener.cc
M    libretroshare/src/pqi/p3peermgr.h
M    libretroshare/src/pqi/p3linkmgr.cc
M    libretroshare/src/pqi/pqiperson.cc
M    libretroshare/src/pqi/pqissl.cc
M    libretroshare/src/rsserver/rsinit.cc
M    libretroshare/src/dht/p3bitdht_relay.cc
M    libretroshare/src/dht/p3bitdht.cc
M    libretroshare/src/dht/p3bitdht.h
M    libretroshare/src/retroshare/rsdht.h
M    libbitdht/src/udp/udpbitdht.h
M    libbitdht/src/udp/udpbitdht.cc
M    libbitdht/src/bitdht/bdmanager.cc
M    libbitdht/src/bitdht/bdmanager.h
M    libbitdht/src/bitdht/bdnode.h
M    libbitdht/src/bitdht/bdfilter.h
M    libbitdht/src/bitdht/bdfilter.cc
M    libbitdht/src/bitdht/bdnode.cc
M    libbitdht/src/bitdht/bdstore.h


git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@8289 b45a01b8-16f6-495d-af2f-9b41ad6348cc

libbitdht/src/bitdht/bdfilter.cc

@@ -26,6 +26,7 @@
 
 
 #include "bitdht/bdfilter.h"
+#include "util/bdfile.h"
 
 #include <stdlib.h>
 #include <stdio.h>
@@ -35,39 +36,110 @@
 /**
  * #define DEBUG_FILTER 1
 **/
+#define BDFILTER_ENTRY_DROP_PERIOD	(7 * 24 * 3600)
 
-#define BDFILTER_ENTRY_DROP_PERIOD	(6 * 3600)
+bdFilter::bdFilter(const std::string &fname, const bdNodeId *ownid,  uint32_t filterFlags, bdDhtFunctions *fns)
-
-
-bdFilter::bdFilter(const bdNodeId *ownId, std::list<bdFilteredPeer> &startList, 
-		uint32_t filterFlags, bdDhtFunctions *fns)
 {
 	/* */
-	mOwnId = *ownId;
+    mOwnId = *ownid;
-	mFns = fns;
+    mFns = fns;
+    mFilename = fname ;
 
-	std::list<bdFilteredPeer>::iterator it;
+    time_t now = time(NULL) ;
 
-	for(it = startList.begin(); it != startList.end(); it++)
+    loadBannedIpFile() ;
-	{
-		mFiltered.push_back(*it);
-	}
 
-	mFilterFlags = filterFlags;
+    mFilterFlags = filterFlags;
 }
 
-bool bdFilter::filtered(std::list<bdFilteredPeer> &answer)
+void bdFilter::writeBannedIpFile()
 {
-	answer = mFiltered;
+    std::string filetmp = mFilename + ".tmp" ;
-	return (answer.size() > 0);
+
+    FILE *fd = fopen(filetmp.c_str(), "w");
+
+    if (!fd)
+    {
+        std::cerr << "(EE) bdFilter::writeBannedIpFile() FAILED to Open File " << mFilename << std::endl;
+        return;
+    }
+
+    for( std::map<uint32_t,bdFilteredPeer>::iterator it=mFiltered.begin();it!=mFiltered.end();++it)
+    {
+        fprintf(fd, "%s %d %ld %ld\n", bdnet_inet_ntoa(it->second.mAddr.sin_addr).c_str(), it->second.mFilterFlags, it->second.mFilterTS, it->second.mLastSeen) ;
+#ifdef DEBUG_FILTER
+        fprintf(stderr, "Storing Peer Address: %s \n", bdnet_inet_ntoa(it->second.mAddr.sin_addr).c_str()) ;
+#endif
+
+    }
+    fclose(fd);
+
+    if(!bdFile::renameFile(filetmp,mFilename))
+        std::cerr << "Could not rename file !!" << std::endl;
+#ifdef DEBUG_FILTER
+    else
+        std::cerr << "Successfully renamed file " << filetmp << " to " << mFilename << std::endl;
+#endif
 }
 
+void bdFilter::loadBannedIpFile()
+{
+        char line[10240];
+        char addr_str[10240];
+
+        struct sockaddr_in addr;
+        addr.sin_family = PF_INET;
+        unsigned short port;
+
+    FILE *fd = fopen(mFilename.c_str(),"r") ;
+
+    if(fd == NULL)
+    {
+        std::cerr << "(EE) Cannot load filter file " << mFilename << std::endl;
+        return ;
+    }
+
+        while(line == fgets(line, 10240, fd))
+        {
+        uint32_t filter_flags ;
+        unsigned long long int filter_ts ;
+        unsigned long long int last_seen ;
+
+            if (4 == sscanf(line, "%s %u %llu %llu", addr_str, &filter_flags,&filter_ts,&last_seen))
+            {
+                if (bdnet_inet_aton(addr_str, &(addr.sin_addr)))
+                {
+                    addr.sin_port = 0;
+
+                    bdFilteredPeer peer;
+
+                    peer.mAddr = addr;
+                    peer.mFilterTS = filter_ts;
+                    peer.mLastSeen = last_seen;
+
+            mFiltered[addr.sin_addr.s_addr] = peer ;
+    #ifdef DEBUG_FILTER
+                    std::cerr << "Loaded filtered IP: " << std::string(addr_str) << " last seen: " << last_seen << ", TS=" << filter_ts << std::endl;
+    #endif
+                }
+            }
+        }
+
+        fclose(fd);
+}
+
+//bool bdFilter::filtered(std::list<bdFilteredPeer> &answer)
+//{
+//	answer = mFiltered;
+//	return (answer.size() > 0);
+//}
+
 bool bdFilter::filteredIPs(std::list<struct sockaddr_in> &answer)
 {
-	std::list<bdFilteredPeer>::iterator it;
+    std::map<uint32_t,bdFilteredPeer>::iterator it;
 	for(it = mFiltered.begin(); it != mFiltered.end(); it++)
 	{
-		answer.push_back(it->mAddr);
+        answer.push_back(it->second.mAddr);
 	}
 	return (answer.size() > 0);
 }
@@ -85,7 +157,8 @@ int bdFilter::checkPeer(const bdId *id, uint32_t mode)
 
 	if (add)
 	{
-		bool isNew = addPeerToFilter(id, flags);
+        bool isNew = addPeerToFilter(id->addr, flags);
+
 		if (isNew)
 		{
 			return 1;
@@ -95,59 +168,68 @@ int bdFilter::checkPeer(const bdId *id, uint32_t mode)
 	return 0;
 }
 
-int bdFilter::addPeerToFilter(const bdId *id, uint32_t flags)
+int bdFilter::addPeerToFilter(const struct sockaddr_in& addr, uint32_t flags)
 {
-	std::list<bdFilteredPeer>::iterator it;
+    std::map<uint32_t,bdFilteredPeer>::iterator it = mFiltered.find(addr.sin_addr.s_addr) ;
-	bool found = false;
+
-	for(it = mFiltered.begin(); it != mFiltered.end(); it++)
+    if(it != mFiltered.end())
 	{
-		if (id->addr.sin_addr.s_addr == it->mAddr.sin_addr.s_addr)
+            it->second.mLastSeen = time(NULL);
-		{
+            it->second.mFilterFlags |= flags;
-			found = true;
+    }
-			it->mLastSeen = time(NULL);
+    else
-			it->mFilterFlags |= flags;
+    {
-			break;
+        time_t now = time(NULL);
-		}
+        bdFilteredPeer fp;
-	}
 
-	if (!found)
+        fp.mAddr = addr;
-	{
+        fp.mAddr.sin_port = 0;
-		time_t now = time(NULL);
+        fp.mFilterFlags = flags;
-		bdFilteredPeer fp;
+        fp.mFilterTS = now;
+        fp.mLastSeen = now;
 
-		fp.mAddr = id->addr;
+        uint32_t saddr = addr.sin_addr.s_addr;
-		fp.mAddr.sin_port = 0;
-		fp.mFilterFlags = flags;
-		fp.mFilterTS = now;	
-		fp.mLastSeen = now;
 
-		mFiltered.push_back(fp);
+        mFiltered[saddr] = fp;
 
-		uint32_t saddr = id->addr.sin_addr.s_addr;
+        std::cerr << "Adding New Banned Ip Address: " << bdnet_inet_ntoa(addr.sin_addr);
-		mIpsBanned.insert(saddr);
+        std::cerr << std::endl;
+    }
+    writeBannedIpFile() ;
 
-		std::cerr << "Adding New Banned Ip Address: " << bdnet_inet_ntoa(id->addr.sin_addr);
+    return true;
-		std::cerr << std::endl;
-
-		return true;
-	}
-
-	return false;
 }
 
+// void bdFilter::loadFilteredPeers(const std::list<bdFilteredPeer>& peers)
+// {
+//     for(std::list<bdFilteredPeer>::iterator it = peers.begin(); it != peers.end();++it)
+//     {
+// #ifdef DEBUG_FILTER
+//         std::cerr << "Loading filtered peer " << inet_ntoa(it->mAddr.sin_addr) << " Flags: " << it->mFilterFlags << " FilterTS: "
+//                   << now - it->mFilterTS << " LastSeen: " << now - it->mLastSeen << std::endl;
+// #endif
+//         uint32_t saddr = it->mAddr.sin_addr.s_addr;
+//         mFiltered[saddr] = *it ;
+//     }
+// }
+// void bdFilter::getFilteredPeers(std::list<bdFilteredPeer>& peers)
+// {
+//     for(std::map<uint32_t,bdFilteredPeer>::iterator it = mFiltered.begin(); it != mFiltered.end();++it)
+//         peers.push_back(it->second) ;
+// }
 /* fast check if the addr is in the structure */
 int bdFilter::addrOkay(struct sockaddr_in *addr)
 {
-	std::set<uint32_t>::const_iterator it = mIpsBanned.find(addr->sin_addr.s_addr);
+    std::map<uint32_t,bdFilteredPeer>::const_iterator it = mFiltered.find(addr->sin_addr.s_addr);
-	if (it == mIpsBanned.end())
+
-	{
+    if (it == mFiltered.end())
-		return 1; // Address is Okay!
+        return 1; // Address is Okay!
-	}
+
 #ifdef DEBUG_FILTER
-	std::cerr << "Detected Packet From Banned Ip Address: " << inet_ntoa(addr->sin_addr);
+    std::cerr << "Detected Packet From Banned Ip Address: " << inet_ntoa(addr->sin_addr);
-	std::cerr << std::endl;
+    std::cerr << std::endl;
 #endif
-	return 0;
+    return 0;
 }
 
 
@@ -184,55 +266,41 @@ bool bdFilter::isOwnIdWithoutBitDhtFlags(const bdId *id, uint32_t peerFlags)
 bool bdFilter::cleanupFilter()
 {
 #ifdef DEBUG_FILTER
-	std::cerr << "bdFilter::cleanupFilter() Current BanList" << std::endl;
+    std::cerr << "bdFilter: Checking current filter List:" << std::endl;
-	struct in_addr inaddr;
-
-	std::set<uint32_t>::iterator sit;
-	for(sit = mIpsBanned.begin(); sit != mIpsBanned.end(); sit++)
-	{
-		inaddr.s_addr = *sit;
-		std::cerr << "\tBanned: " << inet_ntoa(inaddr) << std::endl;
-	}
-#endif
-
-	mIpsBanned.clear();
-	
-#ifdef DEBUG_FILTER
-	std::cerr << "Filter List:" << std::endl;
 #endif
 
 	time_t now = time(NULL);
 	time_t dropTime = now - BDFILTER_ENTRY_DROP_PERIOD;
 
-	std::list<bdFilteredPeer>::iterator it;
+    for(std::map<uint32_t,bdFilteredPeer>::iterator it = mFiltered.begin(); it != mFiltered.end();)
-	for(it = mFiltered.begin(); it != mFiltered.end();)
+    {
-	{
 #ifdef DEBUG_FILTER
-		std::cerr << "\t" << inet_ntoa(it->mAddr.sin_addr);
+        std::cerr << "\t" << bdnet_inet_ntoa(it->second.mAddr.sin_addr);
-		std::cerr << " Flags: " << it->mFilterFlags;
+        std::cerr << " Flags: " << it->second.mFilterFlags;
-		std::cerr << " FilterTS: " << now - it->mFilterTS;
+        std::cerr << " FilterTS: " << now - it->second.mFilterTS;
-		std::cerr << " LastSeen: " << now - it->mLastSeen;
+        std::cerr << " LastSeen: " << now - it->second.mLastSeen;
 #endif
 
-		if (it->mLastSeen < dropTime)
+        if (it->second.mLastSeen < dropTime)
-		{
+        {
-			/* remove from filter */
+            /* remove from filter */
 #ifdef DEBUG_FILTER
-			std::cerr << " OLD DROPPING" << std::endl;
+            std::cerr << " OLD DROPPING" << std::endl;
 #endif
-			it = mFiltered.erase(it);
+            std::map<uint32_t,bdFilteredPeer>::iterator tmp(it) ;
-		}
+            ++tmp ;
-		else
-		{
-#ifdef DEBUG_FILTER
-			std::cerr << " OK" << std::endl;
-#endif
-			uint32_t saddr = it->mAddr.sin_addr.s_addr;
-			mIpsBanned.insert(saddr);
 
-			it++;
+            mFiltered.erase(it);
-		}
+            it = tmp ;
-	}
+        }
+        else
+        {
+#ifdef DEBUG_FILTER
+            std::cerr << " OK" << std::endl;
+#endif
+            it++;
+        }
+    }
 
 	return true;
 }

libbitdht/src/bitdht/bdfilter.h

@@ -50,21 +50,26 @@ class bdFilteredPeer
 class bdFilter
 {
 	public:
-	bdFilter(const bdNodeId *ownid, std::list<bdFilteredPeer> &initialFilters, 
+    bdFilter(const std::string& fname,const bdNodeId *ownid, uint32_t filterFlags, bdDhtFunctions *fns);
-		uint32_t filterFlags, bdDhtFunctions *fns);
 
 	// get the answer.
-bool	filtered(std::list<bdFilteredPeer> &answer);
+//bool	filtered(std::list<bdFilteredPeer> &answer);
 bool	filteredIPs(std::list<struct sockaddr_in> &answer);
 
+void    loadFilteredPeers(const std::list<bdFilteredPeer>& peers) ;
+void 	getFilteredPeers(std::list<bdFilteredPeer> &peers);
+
 int 	checkPeer(const bdId *id, uint32_t peerFlags);
 
 int 	addrOkay(struct sockaddr_in *addr);
-int 	addPeerToFilter(const bdId *id, uint32_t flags);
+int 	addPeerToFilter(const struct sockaddr_in &addr, uint32_t flags);
 
 bool 	cleanupFilter();
 
-	private:
+void loadBannedIpFile() ;
+void writeBannedIpFile() ;
+
+private:
 
 bool	isOwnIdWithoutBitDhtFlags(const bdId *id, uint32_t peerFlags);
 
@@ -72,11 +77,9 @@ bool	isOwnIdWithoutBitDhtFlags(const bdId *id, uint32_t peerFlags);
 	bdNodeId mOwnId;
 	uint32_t mFilterFlags;
 
-	std::list<bdFilteredPeer> mFiltered;
+    std::map<uint32_t,bdFilteredPeer> mFiltered;
-	bdDhtFunctions *mFns;
+    bdDhtFunctions *mFns;
-
+    std::string mFilename ;
-	// = addr.sin_addr.s_addr (uint32_t) stored in network order.
-	std::set<uint32_t> mIpsBanned; 
 };
 
 

libbitdht/src/bitdht/bdmanager.cc

@@ -68,8 +68,8 @@
 #define QUERY_UPDATE_PERIOD 8 	// under refresh period - so it'll happen at the MAX_REFRESH_PERIOD
 
 
-bdNodeManager::bdNodeManager(bdNodeId *id, std::string dhtVersion, std::string bootfile, bdDhtFunctions *fns)
+bdNodeManager::bdNodeManager(bdNodeId *id, std::string dhtVersion, std::string bootfile, const std::string& filterfile,bdDhtFunctions *fns)
-	:bdNode(id, dhtVersion, bootfile, fns)
+    :bdNode(id, dhtVersion, bootfile, filterfile, fns)
 {
 	mMode = BITDHT_MGR_STATE_OFF;
 	mFns = fns;
@@ -394,7 +394,7 @@ void bdNodeManager::iteration()
 				std::cerr << std::endl;
 #endif
 
-				mFilterPeers->cleanupFilter();
+                mFilterPeers.cleanupFilter();
 
 
 #ifdef DEBUG_MGR

libbitdht/src/bitdht/bdmanager.h

@@ -96,7 +96,7 @@ class bdQueryPeer
 class bdNodeManager: public bdNode, public BitDhtInterface
 {
 	public:
-        bdNodeManager(bdNodeId *id, std::string dhtVersion, std::string bootfile, bdDhtFunctions *fns);
+        bdNodeManager(bdNodeId *id, std::string dhtVersion, std::string bootfile, const std::string &filterfile, bdDhtFunctions *fns);
 
 
 void 	iteration();
@@ -152,7 +152,8 @@ virtual void callbackConnect(bdId *srcId, bdId *proxyId, bdId *destId,
                                         int mode, int point, int param, int cbtype, int errcode); 
 
 int 	isBitDhtPacket(char *data, int size, struct sockaddr_in &from);
-	private:
+
+private:
 
 
 void 	doNodeCallback(const bdId *id, uint32_t peerflags);

libbitdht/src/bitdht/bdnode.cc

@@ -70,12 +70,14 @@
 
 #define HISTORY_PERIOD  60
 
-bdNode::bdNode(bdNodeId *ownId, std::string dhtVersion, std::string bootfile, bdDhtFunctions *fns)
+bdNode::bdNode(bdNodeId *ownId, std::string dhtVersion, const std::string& bootfile, const std::string& filterfile, bdDhtFunctions *fns)
-	:mNodeSpace(ownId, fns), mQueryMgr(NULL), mConnMgr(NULL), 
+    :mNodeSpace(ownId, fns),
-	mFilterPeers(NULL), mOwnId(*ownId), mDhtVersion(dhtVersion), mStore(bootfile, fns), mFns(fns), 
+         mFilterPeers(filterfile,ownId, BITDHT_FILTER_REASON_OWNID, fns),
-	mFriendList(ownId), mHistory(HISTORY_PERIOD)
+      mQueryMgr(NULL),
+          mConnMgr(NULL),
+          mOwnId(*ownId), mDhtVersion(dhtVersion), mStore(bootfile, fns), mFns(fns),
+          mFriendList(ownId), mHistory(HISTORY_PERIOD)
 {
-
 	init(); /* (uses this pointers) stuff it - do it here! */
 }
 
@@ -84,9 +86,6 @@ void bdNode::init()
 	mQueryMgr = new bdQueryManager(&mNodeSpace, mFns, this);
 	mConnMgr = new bdConnectManager(&mOwnId, &mNodeSpace, mQueryMgr, mFns, this);
 
- 	std::list<bdFilteredPeer> emptyList;
-	mFilterPeers = new bdFilter(&mOwnId, emptyList, BITDHT_FILTER_REASON_OWNID, mFns);
-	
 	//setNodeOptions(BITDHT_OPTIONS_MAINTAIN_UNSTABLE_PORT);
 	setNodeOptions(0);
 
@@ -94,7 +93,15 @@ void bdNode::init()
 	setNodeDhtMode(BITDHT_MODE_TRAFFIC_DEFAULT);
 
 }
-
+//void bdNode::getFilteredPeers(std::list<bdFilteredPeer>& peers)
+//{
+//    mFilterPeers.getFilteredPeers(peers) ;
+//}
+//
+//void bdNode::loadFilteredPeers(const std::list<bdFilteredPeer>& peers)
+//{
+//    mFilterPeers.loadFilteredPeers(peers) ;
+//}
 /* Unfortunately I've ended up with 2 calls down through the heirarchy...
  * not ideal - must clean this up one day.
  */
@@ -249,7 +256,12 @@ void bdNode::shutdownNode()
 /* Crappy initial store... use bdspace as answer */
 void bdNode::updateStore()
 {
-	mStore.writeStore();
+    mStore.writeStore();
+}
+
+bool bdNode::addressBanned(const sockaddr_in& raddr)
+{
+    return !mFilterPeers.addrOkay(const_cast<sockaddr_in*>(&raddr)) ;
 }
 
 void bdNode::printState()
@@ -481,7 +493,7 @@ void bdNode::checkPotentialPeer(bdId *id, bdId *src)
 	/* Check BadPeer Filters for Potential Peers too */
 
 	/* first check the filters */
-        if (!mFilterPeers->addrOkay(&(id->addr)))
+        if (!mFilterPeers.addrOkay(&(id->addr)))
 	{
 		std::cerr << "bdNode::checkPotentialPeer(";
 		mFns->bdPrintId(std::cerr, id);
@@ -509,10 +521,10 @@ void bdNode::checkPotentialPeer(bdId *id, bdId *src)
 				// Stores in queue for later callback and desemination around the network.
 	        		mBadPeerQueue.queuePeer(id, 0);
 
-	        		mFilterPeers->addPeerToFilter(id, 0);
+                    mFilterPeers.addPeerToFilter(id->addr, 0);
 
 				std::list<struct sockaddr_in> filteredIPs;
-				mFilterPeers->filteredIPs(filteredIPs);
+                mFilterPeers.filteredIPs(filteredIPs);
 				mStore.filterIpList(filteredIPs);
 
 				return;
@@ -542,8 +554,6 @@ void bdNode::addPotentialPeer(bdId *id, bdId * /*src*/)
 	mPotentialPeers.push_back(*id);
 }
 
-
-
         // virtual so manager can do callback.
         // peer flags defined in bdiface.h
 void bdNode::addPeer(const bdId *id, uint32_t peerflags)
@@ -556,7 +566,7 @@ void bdNode::addPeer(const bdId *id, uint32_t peerflags)
 #endif
 
 	/* first check the filters */
-        if (mFilterPeers->checkPeer(id, peerflags))
+        if (mFilterPeers.checkPeer(id, peerflags))
 	{
 		std::cerr << "bdNode::addPeer(";
 		mFns->bdPrintId(std::cerr, id);
@@ -565,7 +575,7 @@ void bdNode::addPeer(const bdId *id, uint32_t peerflags)
 		std::cerr << std::endl;
 
 		std::list<struct sockaddr_in> filteredIPs;
-		mFilterPeers->filteredIPs(filteredIPs);
+        mFilterPeers.filteredIPs(filteredIPs);
 		mStore.filterIpList(filteredIPs);
 
 	        mBadPeerQueue.queuePeer(id, peerflags);
@@ -597,10 +607,10 @@ void bdNode::addPeer(const bdId *id, uint32_t peerflags)
 				// Stores in queue for later callback and desemination around the network.
 	        		mBadPeerQueue.queuePeer(id, peerflags);
 
-	        		mFilterPeers->addPeerToFilter(id, peerflags);
+                    mFilterPeers.addPeerToFilter(id->addr, peerflags);
 
 				std::list<struct sockaddr_in> filteredIPs;
-				mFilterPeers->filteredIPs(filteredIPs);
+                mFilterPeers.filteredIPs(filteredIPs);
 				mStore.filterIpList(filteredIPs);
 
 				// DO WE EXPLICITLY NEED TO DO THIS, OR WILL THEY JUST BE DROPPED?
@@ -826,7 +836,7 @@ int     bdNode::outgoingMsg(struct sockaddr_in *addr, char *msg, int *len)
 void    bdNode::incomingMsg(struct sockaddr_in *addr, char *msg, int len)
 {
 	/* check against the filter */
-	if (mFilterPeers->addrOkay(addr))
+    if (mFilterPeers.addrOkay(addr))
 	{
 		bdNodeNetMsg *bdmsg = new bdNodeNetMsg(msg, len, addr);
 		mIncomingMsgs.push_back(bdmsg);
@@ -1133,7 +1143,7 @@ void    bdNode::sendPkt(char *msg, int len, struct sockaddr_in addr)
 	//		len, inet_ntoa(addr.sin_addr), htons(addr.sin_port));
 
 	/* filter outgoing packets */
-        if (mFilterPeers->addrOkay(&addr))
+        if (mFilterPeers.addrOkay(&addr))
 	{
 		bdNodeNetMsg *bdmsg = new bdNodeNetMsg(msg, len, &addr);
 		//bdmsg->print(std::cerr);

libbitdht/src/bitdht/bdnode.h

@@ -33,6 +33,7 @@
 #include "bitdht/bdobj.h"
 #include "bitdht/bdhash.h"
 #include "bitdht/bdhistory.h"
+#include "bitdht/bdfilter.h"
 
 #include "bitdht/bdconnection.h"
 #include "bitdht/bdaccount.h"
@@ -83,6 +84,8 @@ output -> call back to Udp().
 
  *********/
 
+class bdFilteredPeer ;
+
 class bdNodeNetMsg
 {
 
@@ -118,7 +121,7 @@ class bdNode: public bdNodePublisher
 {
 	public:
 
-	bdNode(bdNodeId *id, std::string dhtVersion, std::string bootfile, 
+    bdNode(bdNodeId *id, std::string dhtVersion, const std::string& bootfile, const std::string& filterfile,
 		bdDhtFunctions *fns);	
 
 	void init(); /* sets up the self referential classes (mQueryMgr & mConnMgr) */
@@ -145,6 +148,10 @@ class bdNode: public bdNodePublisher
 	void processRemoteQuery();
 	void updateStore();
 
+    bool addressBanned(const sockaddr_in &raddr) ;
+    void getFilteredPeers(std::list<bdFilteredPeer> &peers);
+    void loadFilteredPeers(const std::list<bdFilteredPeer> &peers);
+
 	/* simplified outgoing msg functions (for the managers) */
 	virtual void send_ping(bdId *id); /* message out */
 	virtual void send_query(bdId *id, bdNodeId *targetNodeId, bool localnet); /* message out */
@@ -163,8 +170,9 @@ void 	incomingMsg(struct sockaddr_in *addr, char *msg, int len);
 void	dropRelayServers();
 void	pingRelayServers();
 
-	// Below is internal Management of incoming / outgoing messages.
+// Below is internal Management of incoming / outgoing messages.
-	private:
+
+private:
 
 	/* internal interaction with network */
 void	sendPkt(char *msg, int len, struct sockaddr_in addr);
@@ -235,10 +243,10 @@ void	recvPkt(char *msg, int len, struct sockaddr_in addr);
 	protected:
 
 	bdSpace mNodeSpace;
+    bdFilter mFilterPeers;
 
 	bdQueryManager *mQueryMgr;
 	bdConnectManager *mConnMgr;
-	bdFilter *mFilterPeers;
 
 	bdNodeId mOwnId;
 	bdId 	mLikelyOwnId; // Try to workout own id address.

libbitdht/src/bitdht/bdstore.h

@@ -33,24 +33,24 @@
 
 class bdStore
 {
-	public:
+public:
 
-	bdStore(std::string file, bdDhtFunctions *fns);
+    bdStore(std::string file, bdDhtFunctions *fns);
 
-int 	reloadFromStore(); /* for restarts */
+    int 	reloadFromStore(); /* for restarts */
-int	filterIpList(const std::list<struct sockaddr_in> &filteredIPs);
+    int	filterIpList(const std::list<struct sockaddr_in> &filteredIPs);
-int 	clear();
+    int 	clear();
 
-int 	getPeer(bdPeer *peer);
+    int 	getPeer(bdPeer *peer);
-void	addStore(bdPeer *peer);
+    void	addStore(bdPeer *peer);
-void	writeStore(std::string file);
+    void	writeStore(std::string file);
-void	writeStore();
+    void	writeStore();
 
-	private:
+protected:
-		std::string mStoreFile;
+    std::string mStoreFile;
-		std::list<bdPeer> store;
+    std::list<bdPeer> store;
-		int mIndex;
+    int mIndex;
-		bdDhtFunctions *mFns;
+    bdDhtFunctions *mFns;
 };
 
 

libbitdht/src/udp/udpbitdht.cc

@@ -57,7 +57,7 @@
 
 /*************************************/
 
-UdpBitDht::UdpBitDht(UdpPublisher *pub, bdNodeId *id, std::string appVersion, std::string bootstrapfile, bdDhtFunctions *fns)
+UdpBitDht::UdpBitDht(UdpPublisher *pub, bdNodeId *id, std::string appVersion, std::string bootstrapfile, const std::string& filteredipfile, bdDhtFunctions *fns)
 	:UdpSubReceiver(pub), dhtMtx(true), mFns(fns)
 {
 	std::string usedVersion;
@@ -76,7 +76,7 @@ UdpBitDht::UdpBitDht(UdpPublisher *pub, bdNodeId *id, std::string appVersion, st
 
 	/* setup nodeManager */
 	bdStackMutex stack(dhtMtx); /********** MUTEX LOCKED *************/
-	mBitDhtManager = new bdNodeManager(id, usedVersion, bootstrapfile, fns);
+    mBitDhtManager = new bdNodeManager(id, usedVersion, bootstrapfile, filteredipfile, fns);
 }
 
 
@@ -209,7 +209,12 @@ int 	UdpBitDht::getDhtQueryStatus(const bdNodeId *id, bdQuerySummary &query)
 {
 	bdStackMutex stack(dhtMtx); /********** MUTEX LOCKED *************/
 
-	return mBitDhtManager->getDhtQueryStatus(id, query);
+    return mBitDhtManager->getDhtQueryStatus(id, query);
+}
+
+bool UdpBitDht::isAddressBanned(const sockaddr_in &raddr)
+{
+    return mBitDhtManager->addressBanned(raddr) ;
 }
 
 

libbitdht/src/udp/udpbitdht.h

@@ -50,7 +50,7 @@ class UdpBitDht: public UdpSubReceiver, public bdThread, public BitDhtInterface
 {
 	public:
 
-	UdpBitDht(UdpPublisher *pub, bdNodeId *id, std::string dhtVersion, std::string bootstrapfile, bdDhtFunctions *fns);
+    UdpBitDht(UdpPublisher *pub, bdNodeId *id, std::string dhtVersion, std::string bootstrapfile, const std::string& filteredipfile,bdDhtFunctions *fns);
 virtual ~UdpBitDht();
 
 
@@ -87,6 +87,8 @@ virtual int getDhtBucket(const int idx, bdBucket &bucket);
 virtual int getDhtQueries(std::map<bdNodeId, bdQueryStatus> &queries);
 virtual int getDhtQueryStatus(const bdNodeId *id, bdQuerySummary &query);
 
+    virtual bool isAddressBanned(const sockaddr_in &raddr) ;
+
         /* stats and Dht state */
 virtual int startDht();
 virtual int stopDht();

libretroshare/src/dht/p3bitdht.cc

@@ -82,7 +82,7 @@ virtual int dhtInfoCallback(const bdId *id, uint32_t type, uint32_t flags, std::
 
 
 p3BitDht::p3BitDht(const RsPeerId& id, pqiConnectCb *cb, p3NetMgr *nm, 
-			UdpStack *udpstack, std::string bootstrapfile)
+            UdpStack *udpstack, std::string bootstrapfile,const std::string& filteredipfile)
 	:p3Config(), pqiNetAssistConnect(id, cb), mNetMgr(nm), dhtMtx("p3BitDht")
 {
 	mDhtStunner = NULL;
@@ -129,7 +129,7 @@ p3BitDht::p3BitDht(const RsPeerId& id, pqiConnectCb *cb, p3NetMgr *nm,
 #endif
 
 	/* create dht */
-	mUdpBitDht = new UdpBitDht(udpstack, &mOwnDhtId, dhtVersion, bootstrapfile, mDhtFns);
+    mUdpBitDht = new UdpBitDht(udpstack, &mOwnDhtId, dhtVersion, bootstrapfile, filteredipfile,mDhtFns);
 	udpstack->addReceiver(mUdpBitDht);
 
 	/* setup callback to here */
@@ -373,7 +373,18 @@ bool 	p3BitDht::getExternalInterface(struct sockaddr_storage &/*raddr*/,
 #endif
 
 
-	return false;
+    return false;
+}
+
+bool p3BitDht::isAddressBanned(const sockaddr_storage &raddr)
+{
+    if(raddr.ss_family == AF_INET6)	// the DHT does not handle INET6 addresses yet.
+        return false ;
+
+    if(raddr.ss_family == AF_INET)
+        return mUdpBitDht->isAddressBanned((sockaddr_in&)raddr) ;
+
+    return false ;
 }
 
 

libretroshare/src/dht/p3bitdht.h

@@ -143,7 +143,7 @@ class p3BitDht: public p3Config, public pqiNetAssistConnect, public RsDht
 {
 	public:
 	p3BitDht(const RsPeerId& id, pqiConnectCb *cb, p3NetMgr *nm,
-		UdpStack *udpstack, std::string bootstrapfile);
+        UdpStack *udpstack, std::string bootstrapfile, const std::string &filteredipfile);
 
 
 virtual	~p3BitDht();
@@ -214,6 +214,7 @@ virtual bool 	getPeerStatus(const RsPeerId& id,
 virtual bool 	getExternalInterface(struct sockaddr_storage &raddr, 
 					uint32_t &mode);
 
+virtual bool	isAddressBanned(const struct sockaddr_storage& raddr) ;
 
 virtual bool    setAttachMode(bool on);
 

libretroshare/src/dht/p3bitdht_relay.cc

@@ -259,7 +259,7 @@ bool p3BitDht::saveList(bool &cleanup, std::list<RsItem *> &saveList)
 
 	config->print(std::cerr, 0);
 
-	saveList.push_back(config);
+    saveList.push_back(config);
 
 	return true;
 }

libretroshare/src/pqi/p3linkmgr.cc

@@ -47,6 +47,7 @@ const int p3connectzone = 3431;
 
 #include "retroshare/rsiface.h"
 #include "retroshare/rspeers.h"
+#include "retroshare/rsdht.h"
 
 /* Network setup States */
 
@@ -828,9 +829,9 @@ bool p3LinkMgrIMPL::connectResult(const RsPeerId &id, bool success, bool isIncom
 		if (success)
 		{
 			/* update address (should also come through from DISC) */
-#ifdef LINKMGR_DEBUG_CONNFAIL
+#ifdef LINKMGR_DEBUG
 			std::cerr << "p3LinkMgrIMPL::connectResult() Connect!: id: " << id << std::endl;
-			std::cerr << " Success: " << success << " flags: " << flags << std::endl;
+            std::cerr << " Success: " << success << " flags: " << flags << ", remote IP = " <<  sockaddr_storage_iptostring(remote_peer_address) << std::endl;
 #endif
 
 #ifdef LINKMGR_DEBUG
@@ -1730,7 +1731,11 @@ bool  p3LinkMgrIMPL::locked_CheckPotentialAddr(const struct sockaddr_storage &ad
 
 	std::list<struct sockaddr_storage>::const_iterator it;
 	for(it = mBannedIpList.begin(); it != mBannedIpList.end(); ++it)
-	{
+    {
+#ifdef LINKMGR_DEBUG
+        std::cerr << "Checking IP w.r.t. banned IP " << sockaddr_storage_iptostring(*it) << std::endl;
+#endif
+
 		if (sockaddr_storage_sameip(*it, addr))
 		{
 #ifdef LINKMGR_DEBUG
@@ -1741,6 +1746,15 @@ bool  p3LinkMgrIMPL::locked_CheckPotentialAddr(const struct sockaddr_storage &ad
 		}
 	}
 
+    if(rsDht != NULL && rsDht->isAddressBanned(addr))
+    {
+#ifdef LINKMGR_DEBUG
+            std::cerr << "p3LinkMgrIMPL::locked_CheckPotentialAddr() adding to local Banned IPList";
+            std::cerr << std::endl;
+#endif
+            mBannedIpList.push_back(addr) ;
+            return false ;
+    }
 
 	/* if it is an external address, we'll accept it.
 	 * - even it is meant to be a local address.
@@ -1891,8 +1905,7 @@ void  p3LinkMgrIMPL::locked_ConnectAttempt_HistoricalAddresses(peerConnectState
 	std::cerr << "p3LinkMgrIMPL::locked_ConnectAttempt_HistoricalAddresses()";
 	std::cerr << std::endl;
 #endif
-	for(ait = ipAddrs.mLocal.mAddrs.begin(); 
+    for(ait = ipAddrs.mLocal.mAddrs.begin();  ait != ipAddrs.mLocal.mAddrs.end(); ++ait)
-		ait != ipAddrs.mLocal.mAddrs.end(); ++ait)
 	{
 		if (locked_CheckPotentialAddr(ait->mAddr, now - ait->mSeenTime))
 		{
@@ -2235,7 +2248,14 @@ void p3LinkMgrIMPL::printPeerLists(std::ostream &out)
                 }
         }
 
-        return;
+    return;
+}
+
+bool p3LinkMgrIMPL::checkPotentialAddr(const sockaddr_storage &addr, time_t age)
+{
+    RsStackMutex stack(mLinkMtx); /****** STACK LOCK MUTEX *******/
+
+    return locked_CheckPotentialAddr(addr,age) ;
 }
 
 

libretroshare/src/pqi/p3linkmgr.h

@@ -186,6 +186,7 @@ virtual bool 	getLocalAddress(struct sockaddr_storage &addr) = 0;
 virtual void	getFriendList(std::list<RsPeerId> &ssl_peers) = 0; // ONLY used by p3peers.cc USE p3PeerMgr instead.
 virtual bool	getFriendNetStatus(const RsPeerId &id, peerConnectState &state) = 0; // ONLY used by p3peers.cc
 
+virtual bool 	checkPotentialAddr(const struct sockaddr_storage &addr, time_t age)=0;
 
 	/************* DEPRECIATED FUNCTIONS (TO REMOVE) ********/
 virtual int 	addFriend(const RsPeerId &ssl_id, bool isVisible) = 0;
@@ -269,6 +270,7 @@ int 	removeFriend(const RsPeerId &ssl_id);
 
 void 	printPeerLists(std::ostream &out);
 
+virtual bool checkPotentialAddr(const struct sockaddr_storage &addr, time_t age);
 protected:
 	/* THESE CAN PROBABLY BE REMOVED */
 //bool	shutdown(); /* blocking shutdown call */

libretroshare/src/pqi/p3netmgr.cc

@@ -1126,12 +1126,12 @@ bool    p3NetMgrIMPL::setNetworkMode(uint32_t netMode)
 
 		oldNetMode = mNetMode;
 
-//#ifdef NETMGR_DEBUG
+#ifdef NETMGR_DEBUG
-		std::cerr << "p3NetMgrIMPL::setNetworkMode()";
+        std::cerr << "p3NetMgrIMPL::setNetworkMode()";
-		std::cerr << " Existing netMode: " << mNetMode;
+        std::cerr << " Existing netMode: " << mNetMode;
-		std::cerr << " Input netMode: " << netMode;
+        std::cerr << " Input netMode: " << netMode;
-		std::cerr << std::endl;
+        std::cerr << std::endl;
-//#endif
+#endif
 		mNetMode &= ~(RS_NET_MODE_TRYMODE);
 
 		switch(netMode & RS_NET_MODE_ACTUAL)
@@ -1169,7 +1169,7 @@ bool    p3NetMgrIMPL::setVisState(uint16_t vs_disc, uint16_t vs_dht)
 {
 	RsStackMutex stack(mNetMtx); /****** STACK LOCK MUTEX *******/
 	mVsDisc = vs_disc;
-	mVsDht = vs_dht;
+    mVsDht = vs_dht;
 
 	/* if we've started up - then tweak Dht On/Off */
 	if (mNetStatus != RS_NET_UNKNOWN)

libretroshare/src/pqi/p3peermgr.cc

@@ -275,8 +275,9 @@ bool p3PeerMgrIMPL::setOwnVisState(uint16_t vs_disc, uint16_t vs_dht)
 void p3PeerMgrIMPL::tick()
 {
 
-	static const time_t INTERVAL_BETWEEN_LOCATION_CLEANING = 1860 ; // Remove unused locations every 31 minutes.
+    static const time_t INTERVAL_BETWEEN_LOCATION_CLEANING = 600 ; // Remove unused locations and clean IPs every 10 minutes.
-	static time_t last_friends_check = time(NULL) + INTERVAL_BETWEEN_LOCATION_CLEANING; // first cleaning after 1 hour.
+
+    static time_t last_friends_check = time(NULL) + INTERVAL_BETWEEN_LOCATION_CLEANING; // first cleaning after 1 hour.
 
 	time_t now = time(NULL) ;
 
@@ -288,7 +289,13 @@ void p3PeerMgrIMPL::tick()
 
 		rslog(RSL_WARNING, p3peermgrzone, "p3PeerMgr::tick() removeUnusedLocations()");
 
-		removeUnusedLocations() ;
+        removeUnusedLocations() ;
+
+#ifdef PEER_DEBUG
+        std::cerr << "p3PeerMgrIMPL::tick(): cleaning banned/old IPs." << std::endl ;
+#endif
+        removeBannedIps() ;
+
 		last_friends_check = now ;
 	}
 }
@@ -1699,7 +1706,7 @@ bool  p3PeerMgrIMPL::loadList(std::list<RsItem *>& load)
 #endif
 				/* add ownConfig */
 				setOwnNetworkMode(pitem->netMode);
-				setOwnVisState(pitem->vs_disc, pitem->vs_dht);
+                setOwnVisState(pitem->vs_disc, pitem->vs_dht);
 
 				mOwnState.gpg_id = AuthGPG::getAuthGPG()->getGPGOwnId();
 				mOwnState.location = AuthSSL::getAuthSSL()->getOwnLocation();
@@ -1727,7 +1734,7 @@ bool  p3PeerMgrIMPL::loadList(std::list<RsItem *>& load)
 			else
 			{
 				setLocalAddress(peer_id, pitem->localAddrV4.addr);
-				setExtAddress(peer_id, pitem->extAddrV4.addr);
+                setExtAddress(peer_id, pitem->extAddrV4.addr);
 				setDynDNS (peer_id, pitem->dyndns);
 
 				/* convert addresses */
@@ -2233,8 +2240,57 @@ bool	p3PeerMgrIMPL::getAssociatedPeers(const RsPgpId &gpg_id, std::list<RsPeerId
 	return (count > 0);
 }
 
+// goes through the list of known friend IPs and remove the ones that are banned by p3LinkMgr.
 
+static bool cleanIpList(std::list<pqiIpAddress>& lst,const RsPeerId& pid,p3LinkMgr *link_mgr)
+{
+    bool changed = false ;
+    time_t now = time(NULL) ;
 
+    for(std::list<pqiIpAddress>::iterator it2(lst.begin());it2 != lst.end();)
+    {
+#ifdef P3PEERS_DEBUG
+      std::cerr << "Checking IP address " << sockaddr_storage_iptostring( (*it2).mAddr) << " for peer " << pid << ", age = " << now - (*it2).mSeenTime << std::endl;
+#endif
+        if(!link_mgr->checkPotentialAddr( (*it2).mAddr,now - (*it2).mSeenTime))
+        {
+#ifdef P3PEERS_DEBUG
+            std::cerr << "  ==> Removing Banned/old IP address " << sockaddr_storage_iptostring( (*it2).mAddr) << " from peer " << pid << ", age = " << now - (*it2).mSeenTime << std::endl;
+#endif
+
+            std::list<pqiIpAddress>::iterator ittmp = it2 ;
+            ++ittmp ;
+            lst.erase(it2) ;
+            it2 = ittmp ;
+
+            changed = true ;
+        }
+        else
+            ++it2 ;
+    }
+
+    return changed ;
+}
+
+bool p3PeerMgrIMPL::removeBannedIps()
+{
+    RsStackMutex stack(mPeerMtx); /****** STACK LOCK MUTEX *******/
+
+    bool changed = false ;
+    for( std::map<RsPeerId, peerState>::iterator it = mFriendList.begin(); it != mFriendList.end(); ++it)
+    {
+        changed = changed || cleanIpList(it->second.ipAddrs.mExt.mAddrs,it->first,mLinkMgr) ;
+        changed = changed || cleanIpList(it->second.ipAddrs.mLocal.mAddrs,it->first,mLinkMgr) ;
+    }
+
+    changed = changed || cleanIpList(mOwnState.ipAddrs.mExt.mAddrs,mOwnState.id,mLinkMgr) ;
+    changed = changed || cleanIpList(mOwnState.ipAddrs.mLocal.mAddrs,mOwnState.id,mLinkMgr) ;
+
+    if(changed)
+        IndicateConfigChanged();
+
+    return true ;
+}
 
 // /* This only removes SSL certs, that are old... Can end up with no Certs per GPG Id 
 //  * We are removing the concept of a "DummyId" - There is no need for it.
@@ -2268,7 +2324,7 @@ bool p3PeerMgrIMPL::removeUnusedLocations()
 				toRemove.push_back(it->first);
 
 #ifdef P3PEERS_DEBUG
-				std::cerr << "p3PeerMgr::removeUnusedLocations() removing Old SSL Id: " << it->first << std::endl;
+                std::cerr << "p3PeerMgr::removeUnusedLocations() removing Old SSL Id: " << it->first << std::endl;
 #endif
 				
 			}

libretroshare/src/pqi/p3peermgr.h

@@ -325,12 +325,11 @@ int 	getConnectAddresses(const RsPeerId &id,
 				struct sockaddr_storage &lAddr, struct sockaddr_storage &eAddr, 
 				pqiIpAddrSet &histAddrs, std::string &dyndns);
 
-
-
 protected:
 	/* Internal Functions */
 
 bool 	removeUnusedLocations();
+bool 	removeBannedIps();
 
 void    printPeerLists(std::ostream &out);
 

libretroshare/src/pqi/pqimonitor.h

@@ -161,6 +161,7 @@ virtual void    peerConnectRequest(const RsPeerId& id, const struct sockaddr_sto
 			const struct sockaddr_storage &proxyaddr,  const struct sockaddr_storage &srcaddr,  
                         uint32_t source, uint32_t flags, uint32_t delay, uint32_t bandwidth) = 0;
 
+
 //virtual void	stunStatus(std::string id, const struct sockaddr_storage &raddr, uint32_t type, uint32_t flags) = 0;
 };
 

libretroshare/src/pqi/pqiperson.cc

@@ -216,7 +216,11 @@ int	pqiperson::tick()
 // - Actually, now we have - must store and process later.
 int 	pqiperson::notifyEvent(NetInterface *ni, int newState, const struct sockaddr_storage &remote_peer_address)
 {
-	if (mPersonMtx.trylock())
+#ifdef PERSON_DEBUG
+    std::cerr << "pqiperson::notifyEvent() adding event to Queue. newState=" << newState << " from IP = " << sockaddr_storage_tostring(remote_peer_address) << std::endl;
+#endif
+
+    if (mPersonMtx.trylock())
 	{
 		handleNotifyEvent_locked(ni, newState, remote_peer_address);
 
@@ -225,7 +229,6 @@ int 	pqiperson::notifyEvent(NetInterface *ni, int newState, const struct sockadd
 		return 1;
 	}
 
-
 	RsStackMutex stack(mNotifyMtx); /**** LOCK MUTEX ****/
 
 	mNotifyQueue.push_back(NotifyData(ni, newState, remote_peer_address));

libretroshare/src/pqi/pqissl.cc

@@ -1306,7 +1306,7 @@ int 	pqissl::Authorise_SSL_Connection()
 	// 	which could be 
 	//      (pqissl's case) sslcert->serveraddr or sslcert->localaddr.
 
-	AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert);
+    bool res = AuthSSL::getAuthSSL()->CheckCertificate(PeerId(), peercert);
 	bool certCorrect = true; /* WE know it okay already! */
 
 	// check it's the right one.
@@ -1315,6 +1315,7 @@ int 	pqissl::Authorise_SSL_Connection()
 		// then okay...
 		rslog(RSL_WARNING, pqisslzone, "pqissl::Authorise_SSL_Connection() Accepting Conn. Peer: " + PeerId().toStdString());
 
+        //std::cerr << "pqissl::Authorise_SSL_Connection(): accepting connection from " << sockaddr_storage_iptostring(remote_addr) << std::endl;
 		accept_locked(ssl_connection, sockfd, remote_addr);
 		return 1;
 	}

libretroshare/src/pqi/pqissllistener.cc

@@ -45,6 +45,7 @@ const int pqissllistenzone = 49787;
  * #define OPEN_UNIVERSAL_PORT 1
  */
 
+//#define DEBUG_LISTENNER
 #define OPEN_UNIVERSAL_PORT 1
 
 /************************ PQI SSL LISTEN BASE ****************************
@@ -373,25 +374,31 @@ int	pqissllistenbase::acceptconnection()
 
 	SSL_set_fd(incoming_connexion_info.ssl, fd);
 
-	return continueSSL(incoming_connexion_info, true); // continue and save if incomplete.
+    return continueSSL(incoming_connexion_info, true); // continue and save if incomplete.
 }
 
 int	pqissllistenbase::continueSSL(IncomingSSLInfo& incoming_connexion_info, bool addin)
 {
 	// attempt the accept again.
-	int fd =  SSL_get_fd(incoming_connexion_info.ssl);
+    int fd =  SSL_get_fd(incoming_connexion_info.ssl);
 
-	// clear the connection info that will be filled in by the callback.
+    AuthSSL::getAuthSSL()->setCurrentConnectionAttemptInfo(RsPgpId(),RsPeerId(),std::string()) ;
-	//
+    int err = SSL_accept(incoming_connexion_info.ssl);
-	AuthSSL::getAuthSSL()->setCurrentConnectionAttemptInfo(RsPgpId(),RsPeerId(),std::string()) ;
 
-	int err = SSL_accept(incoming_connexion_info.ssl);
+    // Now grab the connection info that was filled in by the callback.
+    // In the case the callback did not succeed the SSL certificate will not be accessible
+    // from SSL_get_peer_certificate, so we need to get it from the callback system.
+    //
+    AuthSSL::getAuthSSL()->getCurrentConnectionAttemptInfo(incoming_connexion_info.gpgid,incoming_connexion_info.sslid,incoming_connexion_info.sslcn) ;
 
-	// No grab the connection info that was filled in by the callback.
+#ifdef DEBUG_LISTENNER
-	//
+    std::cerr << "Info from callback: " << std::endl;
-	AuthSSL::getAuthSSL()->getCurrentConnectionAttemptInfo(incoming_connexion_info.gpgid,incoming_connexion_info.sslid,incoming_connexion_info.sslcn) ;
+        std::cerr << "  Got PGP Id = " << incoming_connexion_info.gpgid << std::endl;
+        std::cerr << "  Got SSL Id = " << incoming_connexion_info.sslid << std::endl;
+        std::cerr << "  Got SSL CN = " << incoming_connexion_info.sslcn << std::endl;
+#endif
 
-	if (err <= 0)
+    if (err <= 0)
 	{
 		int ssl_err = SSL_get_error(incoming_connexion_info.ssl, err);
 		int err_err = ERR_get_error();
@@ -445,7 +452,34 @@ int	pqissllistenbase::continueSSL(IncomingSSLInfo& incoming_connexion_info, bool
 
 		// failure -1, pending 0, sucess 1.
 		return -1;
-	}
+    }
+
+    // Now grab the connection info from the SSL itself, because the callback info might be
+    // tempered due to multiple connection attempts at once.
+    //
+    X509 *x509 = SSL_get_peer_certificate(incoming_connexion_info.ssl) ;
+
+#ifdef DEBUG_LISTENNER
+    std::cerr << "Info from certificate: " << std::endl;
+#endif
+    if(x509 != NULL)
+    {
+        incoming_connexion_info.gpgid = RsPgpId(std::string(getX509CNString(x509->cert_info->issuer)));
+        incoming_connexion_info.sslcn = getX509CNString(x509->cert_info->subject);
+
+        getX509id(x509,incoming_connexion_info.sslid);
+
+#ifdef DEBUG_LISTENNER
+        std::cerr << "  Got PGP Id = " << incoming_connexion_info.gpgid << std::endl;
+        std::cerr << "  Got SSL Id = " << incoming_connexion_info.sslid << std::endl;
+        std::cerr << "  Got SSL CN = " << incoming_connexion_info.sslcn << std::endl;
+#endif
+    }
+#ifdef DEBUG_LISTENNER
+    else
+        std::cerr << "  no info." << std::endl;
+#endif
+
 
 	// if it succeeds
 	if (0 < completeConnection(fd, incoming_connexion_info))
@@ -888,6 +922,18 @@ int pqissllistener::finaliseConnection(int fd, SSL *ssl, const RsPeerId& peerId,
 	out += "\npqissllistener => Passing to pqissl module!";
 	pqioutput(PQL_WARNING, pqissllistenzone, out);
 
+    std::string addrstring = sockaddr_storage_tostring(remote_addr);
+
+    if(!strncmp(addrstring.c_str(),"IPv4=194.228",12))
+        std::cerr << "Caught connection from bad address " << addrstring << " for peer ID " << peerId << std::endl;
+
+    if(!strncmp(addrstring.c_str(),"IPv4=217.66",11))
+        std::cerr << "Caught connection from bad address " << addrstring << " for peer ID " << peerId << std::endl;
+
+    if(!strncmp(addrstring.c_str(),"IPv4=194.199",12))
+        std::cerr << "Caught connection from bad address " << addrstring << std::endl;
+    std::cerr << "pqissllistenner::finaliseConnection() connected to " << sockaddr_storage_tostring(remote_addr) << std::endl;
+
 	// hand off ssl conection.
 	pqissl *pqis = it -> second;
 	pqis -> accept(ssl, fd, remote_addr);

libretroshare/src/retroshare/rsdht.h

@@ -195,6 +195,7 @@ virtual int	setRelayAllowance(int classIdx, uint32_t  count, uint32_t  bandwidth
 	// So we can provide to clients.
 virtual bool    getOwnDhtId(std::string &ownDhtId) = 0;
 
+virtual bool	isAddressBanned(const struct sockaddr_storage& raddr) =0;
 
 #if 0
 virtual std::string getPeerStatusString();

libretroshare/src/rsserver/rsinit.cc

@@ -1079,16 +1079,20 @@ int RsServer::StartupRetroShare()
 #ifdef RS_USE_BITDHT
 
 #define BITDHT_BOOTSTRAP_FILENAME  	"bdboot.txt"
+#define BITDHT_FILTERED_IP_FILENAME  	"bdfilter.txt"
 
 
 	std::string bootstrapfile = rsAccounts->PathAccountDirectory();
 	if (bootstrapfile != "")
-	{
 		bootstrapfile += "/";
-	}
 	bootstrapfile += BITDHT_BOOTSTRAP_FILENAME;
 
-	std::cerr << "Checking for DHT bootstrap file: " << bootstrapfile << std::endl;
+    std::string filteredipfile = rsAccounts->PathAccountDirectory();
+    if (filteredipfile != "")
+        filteredipfile += "/";
+    filteredipfile += BITDHT_FILTERED_IP_FILENAME;
+
+    std::cerr << "Checking for DHT bootstrap file: " << bootstrapfile << std::endl;
 
 	/* check if bootstrap file exists...
 	 * if not... copy from dataDirectory
@@ -1137,7 +1141,7 @@ int RsServer::StartupRetroShare()
 #endif
 
 	// NEXT BITDHT.
-	p3BitDht *mBitDht = new p3BitDht(ownId, mLinkMgr, mNetMgr, mDhtStack, bootstrapfile);
+    p3BitDht *mBitDht = new p3BitDht(ownId, mLinkMgr, mNetMgr, mDhtStack, bootstrapfile, filteredipfile);
 	/* install external Pointer for Interface */
 	rsDht = mBitDht;