Skip to main content

RPC methods filtering

Why filter RPC methods?​

When running a Filecoin node, you might want to restrict the RPC methods that are available to the clients. This can be useful for security reasons, to limit the exposure of the node to the internet, or to reduce the load on the node by disabling unnecessary methods.

note

JWT authentication is a different way to restrict access to the node. It allows you to authorize certain operations on the node using JWTs. However, JWT restrictions are hard-coded in the node and cannot be changed dynamically. If you want to make sure that a certain read-only method is not available to the clients, you can use the method filtering feature.

The methods are first filtered by the method filtering feature, and then the JWT authentication is applied. If a method is disallowed by the method filtering, the JWT token will not be checked for this method.

How to filter RPC methods​

You need to run forest with the --rpc-filter-list <PATH-TO-FILTER-LIST> argument. If the filter list is not provided, all methods are allowed by default.

Example​

In this example, will disallow the Filecoin.ChainExport method which is used to export the chain to a file. This method should not be available to the clients due to its impact (compute, disk space, etc.) on the node.

  1. Create a filter list file, for example, filter-list.txt:
# Disabling the snapshot exporting
!Filecoin.ChainExport
  1. Run forest with the --rpc-filter-list argument:
forest --chain calibnet --encrypt-keystore false --rpc-filter-list filter-list.txt
  1. Try to export the snapshot using the forest-cli:
forest-cli snapshot-export

You should see the following error:

Getting ready to export...
Error: ErrorObject { code: ServerError(403), message: "Forbidden", data: None }

Caused by:
    ErrorObject { code: ServerError(403), message: "Forbidden", data: None }

Filter list format​

The filter list is a text file where each line represents a method that should be allowed or disallowed. The format is as follows:

  • ! at the beginning of the line means that the method is disallowed.
  • # at the beginning of the line is a comment and is ignored.
  • no prefix means that the method is allowed.

If there is a single allowed method (no prefix), all other methods are disallowed by default.

warning

Some methods have aliases, so you need to filter all of them. This is most prominent in the Filecoin.Eth.* namespace. They are implemented for compatibility with Lotus, see here.

Example filter lists​

Allow only the Filecoin.StateCall method. All other methods are disallowed:

Filecoin.StateCall

Disallow the Filecoin.ChainExport method. All other methods are allowed:

!Filecoin.ChainExport

Disallow the Filecoin.EthGasPrice, Filecoin.EthEstimateGas, and their aliases. All other methods are allowed:

!Filecoin.EthGasPrice
!eth_gasPrice
!Filecoin.EthEstimateGas
!eth_estimateGas