Don't accept incoming connections for collators (#2644)

* Don't accept incoming connections for collators

on the `Collation` peer set.

* Better docs.

node/network/bridge/src/lib.rs

@@ -39,7 +39,7 @@ use polkadot_node_network_protocol::{
 /// Peer set infos for network initialization.
 ///
 /// To be added to [`NetworkConfiguration::extra_sets`].
-pub use polkadot_node_network_protocol::peer_set::peer_sets_info;
+pub use polkadot_node_network_protocol::peer_set::{peer_sets_info, IsAuthority};
 
 use std::collections::{HashMap, hash_map};
 use std::iter::ExactSizeIterator;

node/network/protocol/src/peer_set.rs

@@ -30,12 +30,23 @@ pub enum PeerSet {
 	Collation,
 }
 
+/// Whether or not a node is an authority or not.
+///
+/// Peer set configuration gets adjusted accordingly.
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum IsAuthority {
+	/// Node is authority.
+	Yes,
+	/// Node is not an authority.
+	No,
+}
+
 impl PeerSet {
 	/// Get `sc_network` peer set configurations for each peerset.
 	///
 	/// Those should be used in the network configuration to register the protocols with the
 	/// network service.
-	pub fn get_info(self) -> NonDefaultSetConfig {
+	pub fn get_info(self, is_authority: IsAuthority) -> NonDefaultSetConfig {
 		let protocol = self.into_protocol_name();
 		// TODO: lower this limit after https://github.com/paritytech/polkadot/issues/2283 is
 		// done and collations use request-response protocols
@@ -56,10 +67,15 @@ impl PeerSet {
 				notifications_protocol: protocol,
 				max_notification_size,
 				set_config: SetConfig {
-					in_peers: 25,
+					// Non-authority nodes don't need to accept incoming connections on this peer set:
+					in_peers: if is_authority == IsAuthority::Yes { 25 } else { 0 },
 					out_peers: 0,
 					reserved_nodes: Vec::new(),
-					non_reserved_mode: sc_network::config::NonReservedPeerMode::Accept,
+					non_reserved_mode: if is_authority == IsAuthority::Yes {
+						sc_network::config::NonReservedPeerMode::Accept
+					} else {
+						sc_network::config::NonReservedPeerMode::Deny
+					}
 				},
 			},
 		}
@@ -118,6 +134,6 @@ impl<T> IndexMut<PeerSet> for PerPeerSet<T> {
 ///
 /// Should be used during network configuration (added to [`NetworkConfiguration::extra_sets`])
 /// or shortly after startup to register the protocols with the network service.
-pub fn peer_sets_info() -> Vec<sc_network::config::NonDefaultSetConfig> {
-	PeerSet::iter().map(PeerSet::get_info).collect()
+pub fn peer_sets_info(is_authority: IsAuthority) -> Vec<sc_network::config::NonDefaultSetConfig> {
+	PeerSet::iter().map(|s| s.get_info(is_authority)).collect()
 }

node/service/src/lib.rs

@@ -709,7 +709,15 @@ pub fn new_full<RuntimeApi, Executor>(
 	// Substrate nodes.
 	config.network.extra_sets.push(grandpa::grandpa_peers_set_config());
 	#[cfg(feature = "real-overseer")]
-	config.network.extra_sets.extend(polkadot_network_bridge::peer_sets_info());
+	{
+		use polkadot_network_bridge::{peer_sets_info, IsAuthority};
+		let is_authority = if role.is_authority() {
+			IsAuthority::Yes
+		} else {
+			IsAuthority::No
+		};
+		config.network.extra_sets.extend(peer_sets_info(is_authority));
+	}
 
 	// Add a dummy collation set with the intent of printing an error if one tries to connect a
 	// collator to a node that isn't compiled with `--features real-overseer`.