What about adding GUARDED_BY(…) (see #10866 and #11226) annotations here?

Like this:

    CCriticalSection m_cs_banned;
    banmap_t m_banned GUARDED_BY(m_cs_banned);
    bool m_is_dirty GUARDED_BY(m_cs_banned);

Nit: The lock was renamed from cs_setBanned to m_cs_banned. All CCriticalSection:s in the code base except m_cs_callbacks_pending are named with the cs_ prefix (as opposed to m_cs_). Is m_cs_ the recommended prefix going forward? More specifically, what prefix is recommended for my work in #10866? :-)

I think there is a point in having consistent naming for the locks in order to allow for easy grepping of the locks. Personally I use grepping frequently (e.g. git grep ' cs_[a-zA-Z0-9]\+;' -- "*.h" "*.cpp") in the scripts that keep tracks of the locks to cover in #10866).

See https://github.com/bitcoin/bitcoin/blob/master/doc/developer-notes.md:

Class member variables have a m_ prefix.

So yes, m_cs_foo is the recommended syntax going forward for member mutexes, I suppose.

What about adding GUARDED_BY(…) (see #10866 and #11226) annotations here?

Will do. Additionally, this actually needs another mutex for the db. I've been debating whether it should be fixed as part of this PR, but event-driven db flushes can actually collide with the one on a timer. addrman has the same issue, and that may be the cause of some addrman corruption we've seen lately (#11252, #11409, #11454).

Make explicit?

Will do.

Should this be a class-level comment? (Like placed right above class BanMan)

Sure

BanMan still needs class-level comment.

Shouldnt these technically be in the opposite order? Isnt there otherwise a (supidly rare) race where a new connection can come in and slip behind the ban?

Yes, good point. Will fix.

Inverting opens another dumb case: ban -> (unban -> connect) -> disconnect 🙄 Do you think DisconnectNode() should be called inside Ban() while the lock is held?

I don't see how this could reasonably happen. Anyway, it's not a departure from the current behavior.

Use std::make_unique.

that's c++14 :(

A substitute for C++14 std::make_unique in the form of MakeUnique is added to util.h as part of #11043 (see 27a54ea) which will hopefully be merged soon :-)

Inverting opens another dumb case: ban -> (unban -> connect) -> disconnect 🙄 Do you think DisconnectNode() should be called inside Ban() while the lock is held?

Use std::make_unique.

Use std::make_unique.

It's not available in c++11, but we do have MakeUnique in src/util.h

Would it make sense to move ClearBanned() to a subclass that's only used by the test suite?

This is a misleading comment that needs to be dropped. This is used by the clearbanned rpc as well.

I think we need to invoke the new DisconnectNode() method that takes a CNetAddr, rather than just the nodeid, in order to keep the behavior the same (ie disconnect all peers on the same subnet)?

When accepting an ip as a string from the user I agree. But in this case the request is for a specific node, so I would argue that the id is more in line with what the user would expect.

I don't care hugely either way though.

As an aside, what we really need here is kick/ban/kick+ban options. But I don't think it's worth adding the complexity?

Is this a place where a constexpr is preferred over just const?

Yep, will change.

(same question as before, about whether constexpr should be preferred?)

Mostly an aside, since we're already doing it this way with connman, but I'm curious why we're not using shared pointers here instead of this unique_ptr.get() stuff?

Because these aren't intended to be actual globals. We just don't (yet) have the infrastructure to pass them into RPC and qt. Once banman/addrman are split out, I'll be PRing a set of changes that make RPC instantiated. With that done, the ui (rpc/qt/whatever else) will have these interfaces passed in, and they can assume that the pointers are good for their lifetime.

Is there a circumstance where g_banman would not exist here? If so a comment would be nice; if not then I'm wondering if we should assert instead, or otherwise enforce a shutdown.

My original thinking was that if we add a -nop2p option (which I'm hoping we can do soon), the bandb would be disabled as well. But thinking about it now, one doesn't exclude the other. So yes, an assert makes more sense here. Will do.

Why do we need this, if the BanMan already dumps its banlist in its destructor?

Good point, will remove.

nit: Does this rpc error change require a release note mention? If so, we should track this in an issue.

I didn't bother with docs because as far as I know, it's been impossible to receive this error in practice because g_connman always exists. It won't be until we have a -nop2p that it's relevant.

Same comment as before about using nodeid rather than address

Same response :)

Note that these comments are a bit stale. We used to track down the entry by looking through all node addresses, but now we use the id directly. I'll update those comments independently.

Also, see the behavior of disconnectSelectedNode above. I think it makes sense to be consistent with that?

For the sake of not over-complicating this, It may make sense to just keep the old behavior for this PR and switch to id in a follow-up.

nit: Consider adding a release-note to do for the rpc error change in this rpc call as well.

Same as above. These could be asserts for now, but imo we're less likely to forget about these if errors are hooked up in advance.

I think we need to pass gArgs.GetArg("-bantime", DEFAULT_MISBEHAVING_BANTIME) here? Or else I'm missing how the command line argument gets used after this commit.

Very much so, thanks for catching that.

In commit net: Break disconnecting out of Ban(),

Why bool if the return value is not used?

Just to be consistent with the others.

In commit net: Break disconnecting out of Ban(),

Nit, add space.

Fixed

This is a behavior change when banning a remote IP in net_processing - we no longer disconnect any other connections from the same peer, only block new ones and disconnect the specific connection that made us ban them. Don't know that its a big deal, but might be nice to disconnect-by-ip there, too.

Good point. Disconnecting the single node seems more correct to me, but I'll revert to the current behavior here to avoid the change.

#11457 (comment)

In commit "net: Break disconnecting out of Ban()"

This is a behavior change

Seems to be fixed by the new change: #11457 (comment), but it would be clearer if commit message also said this commit does not change current behavior.

Hmm, it seems like our trend is to move things like this into the constructor/init logic for the subsystem/module itself instead of shoving everything in init. I rather liked that trend....

Well the schedule in this case is bitcoind specific. There's no reason for BanMan to know about it, and it's not exclusive to net. Throwing in an app-specific schedule would kinda defeat the purpose of breaking it out.

Ugh, I mean the other annoying bit is that init.o is, by far, our largest compilation module. Any excuse to pull stuff out of init and put knowledge of a module in that module instead of init seems like the right direction to me. Also because we're telling the scheduler to schedule calling a function in that module based on a timer set in that module's header just seems...weird to me. If we want to ensure its easy to add unit tests later you can easily make the scheduler an optional arg and skip dumping if one isn't provided to the constructor.

#11457 (comment)

In commit "banman: create and split out banman"

Well the schedule in this case is bitcoind specific. There's no reason for BanMan to know about it, and it's not exclusive to net. Throwing in an app-specific schedule would kinda defeat the purpose of breaking it out.

I'm surprised the scheduler would be considered "bitcoind specific" / "app-specific" but BanMan would not be. How could that be true? On the surface, it seems reasonable for BanMan to use the scheduler since it relies on a scheduler to function, and would seem to simplify init.cpp and anything else using BanMan.

@ryanofsky BanMan doesn't rely on a scheduler to function any more than the wallet does, that's a bitcoind thing. Banman just loads/unloads the bandb when it's told.

Imagine a small util to dump/edit the bandb, (which would be completely reasonable). The scheduler would just be a needless dependency.

@TheBlueMatt It's time to create an app context class (and .h/cpp) anyway, that holds these types of objects for the life of bitcoind. I figured one of us would get around to that once enough stuff had piled up in init.cpp :p .

This seems like a dead store?

Yes, will remove.

Is it really worth checking? We already check for g_banman further up, are we really anticipating having a g_banman but not a g_connman?

Yea, I think it may be useful in the future to run with -p2p=0 in order to view/cleanup your bandb.

I cant say I really understand the desire to avoid the argparsing dep, when you include <util.h> either way. Seems like useless indirection.

So that we can test independent of the cmdline args.

Commit [banman: create and split out banman].

I feel like this should be checked outside the surrounding if (pnode->addr.IsLocal()) statement. Doesn't make sense to log "not banning local peer" if it wouldn't have been banned anyway.