From 4087322d6a2e536aa50790d3fcca53f122751727 Mon Sep 17 00:00:00 2001
From: m4sterbunny <harrie.bickle@consensys.net>
Date: Tue, 23 Jul 2024 07:37:36 +0100
Subject: [PATCH] adds net-restrict to cli options (#1646)

* adds nat-restrict to cli options

Signed-off-by: m4sterbunny <harrie.bickle@consensys.net>

* Update docs/public-networks/reference/cli/options.md

as per Besu's array == 1 required, array accepted

Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com>
Signed-off-by: m4sterbunny <harrie.bickle@consensys.net>

* Update docs/public-networks/reference/cli/options.md

if this, then need to do run through pg and verify previous

Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com>
Signed-off-by: m4sterbunny <harrie.bickle@consensys.net>

* updates howto too

Signed-off-by: m4sterbunny <harrie.bickle@consensys.net>

* Update docs/public-networks/how-to/connect/manage-peers.md

proof

Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com>
Signed-off-by: m4sterbunny <harrie.bickle@consensys.net>

* Update docs/public-networks/how-to/connect/manage-peers.md

proof

Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com>
Signed-off-by: m4sterbunny <harrie.bickle@consensys.net>

* Update docs/public-networks/reference/cli/options.md

proof

Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com>
Signed-off-by: m4sterbunny <harrie.bickle@consensys.net>

---------

Signed-off-by: m4sterbunny <harrie.bickle@consensys.net>
Co-authored-by: Joan E <153745173+joaniefromtheblock@users.noreply.github.com>
Co-authored-by: Alexandra Carrillo <12214231+alexandratran@users.noreply.github.com>
Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com>
---
 .../how-to/connect/manage-peers.md            | 13 ++++--
 docs/public-networks/reference/cli/options.md | 42 +++++++++++++++++++
 2 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/docs/public-networks/how-to/connect/manage-peers.md b/docs/public-networks/how-to/connect/manage-peers.md
index 63831218b96..768b904d0c0 100644
--- a/docs/public-networks/how-to/connect/manage-peers.md
+++ b/docs/public-networks/how-to/connect/manage-peers.md
@@ -12,9 +12,12 @@ tags:
 Hyperledger Besu peer-to-peer (P2P) discovery happens periodically based on the number of peers in a
 network and the node's [peer limit](#limit-peers).
 
-The frequency of discovery isn't configurable, but you can
-[limit remote connections](#limit-remote-connections) in public networks and
-[randomly prioritize connections](../../reference/cli/options.md#random-peer-priority-enabled) in
+The frequency of discovery isn't configurable, but you can:
+
+- [Limit remote connections](#limit-remote-connections) in public networks.
+- [Allowlist peers by IP subnet](#allowlist-peers) to create a private network of peers across public 
+networks.
+- [Randomly prioritize connections](../../reference/cli/options.md#random-peer-priority-enabled) in
 small, stable networks.
 
 :::info
@@ -70,6 +73,10 @@ You can limit peers to reduce the bandwidth, CPU time, and disk access Besu uses
 
 To reduce the maximum number of peers, use the [`--max-peers`](../../reference/cli/options.md#max-peers) option. The default is 25.
 
+## Allowlist peers
+
+You can can define specific IP subnets permitted to interact with the node using the [`--net-restrict`](../../reference/cli/options.md#net-restrict) configuration. This restricts access to only those peers whose IP addresses fall within the allowed subnets. This is useful if you maintain a set of nodes and want to restrict which of those can connect to external nodes.
+
 ## Limit remote connections
 
 Prevent eclipse attacks when using [`--sync-mode`](../../reference/cli/options.md#sync-mode) and [`--fast-sync-min-peers`](../../reference/cli/options.md##sync-min-peers-fast-sync-min-peers) on public networks by enabling the [remote connection limits](../../reference/cli/options.md#remote-connections-limit-enabled).
diff --git a/docs/public-networks/reference/cli/options.md b/docs/public-networks/reference/cli/options.md
index 57c89bf60c2..6b350f31af8 100644
--- a/docs/public-networks/reference/cli/options.md
+++ b/docs/public-networks/reference/cli/options.md
@@ -2596,6 +2596,48 @@ You must specify `DOCKER` when using the [Besu Docker image](../../get-started/i
 
 :::
 
+### `net-restrict`
+
+<Tabs>
+
+<TabItem value="Syntax" label="Syntax" default>
+
+```bash
+--net-restrict=<subnet>[,<subnet>,...]
+```
+
+</TabItem>
+
+<TabItem value="Example" label="Example">
+
+```bash
+--net-restrict=192.168.1.0/24,10.0.0.0/8
+```
+
+</TabItem>
+
+<TabItem value="Environment variable" label="Environment variable">
+
+```bash
+BESU_NET_RESTRICT=192.168.1.0/24,10.0.0.0/8
+```
+
+</TabItem>
+
+<TabItem value="Example configuration file" label="Example configuration file"> 
+
+```bash
+net-restrict=["192.168.1.0/24","10.0.0.0/8"]
+```
+
+</TabItem>
+
+</Tabs>
+
+A comma-separated list of allowed IP subnets.
+Peers whose IP addresses fall within the specified subnets are granted permission to interact with the node.
+If not specified, no subnet-based peer permission restrictions are applied.
+
 ### `network`
 
 <Tabs>