1 // This file is Copyright its original authors, visible in version control
4 // This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
5 // or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
6 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
7 // You may not use this file except in accordance with one or both of these
10 //! Various user-configurable channel limits and settings which ChannelManager
13 use ln::channel::MAX_FUNDING_SATOSHIS_NO_WUMBO;
14 use ln::channelmanager::{BREAKDOWN_TIMEOUT, MAX_LOCAL_BREAKDOWN_TIMEOUT};
16 /// Configuration we set when applicable.
18 /// Default::default() provides sane defaults.
19 #[derive(Copy, Clone, Debug)]
20 pub struct ChannelHandshakeConfig {
21 /// Confirmations we will wait for before considering the channel locked in.
22 /// Applied only for inbound channels (see ChannelHandshakeLimits::max_minimum_depth for the
23 /// equivalent limit applied to outbound channels).
26 pub minimum_depth: u32,
27 /// Set to the number of blocks we require our counterparty to wait to claim their money (ie
28 /// the number of blocks we have to punish our counterparty if they broadcast a revoked
31 /// This is one of the main parameters of our security model. We (or one of our watchtowers) MUST
32 /// be online to check for revoked transactions on-chain at least once every our_to_self_delay
33 /// blocks (minus some margin to allow us enough time to broadcast and confirm a transaction,
34 /// possibly with time in between to RBF the spending transaction).
36 /// Meanwhile, asking for a too high delay, we bother peer to freeze funds for nothing in
37 /// case of an honest unilateral channel close, which implicitly decrease the economic value of
40 /// Default value: [`BREAKDOWN_TIMEOUT`], we enforce it as a minimum at channel opening so you
41 /// can tweak config to ask for more security, not less.
42 pub our_to_self_delay: u16,
43 /// Set to the smallest value HTLC we will accept to process.
45 /// This value is sent to our counterparty on channel-open and we close the channel any time
46 /// our counterparty misbehaves by sending us an HTLC with a value smaller than this.
48 /// Default value: 1. If the value is less than 1, it is ignored and set to 1, as is required
50 pub our_htlc_minimum_msat: u64,
51 /// If set, we attempt to negotiate the `scid_privacy` (referred to as `scid_alias` in the
52 /// BOLTs) option for outbound private channels. This provides better privacy by not including
53 /// our real on-chain channel UTXO in each invoice and requiring that our counterparty only
54 /// relay HTLCs to us using the channel's SCID alias.
56 /// If this option is set, channels may be created that will not be readable by LDK versions
57 /// prior to 0.0.106, causing [`ChannelManager`]'s read method to return a
58 /// [`DecodeError:InvalidValue`].
60 /// Note that setting this to true does *not* prevent us from opening channels with
61 /// counterparties that do not support the `scid_alias` option; we will simply fall back to a
62 /// private channel without that option.
64 /// Ignored if the channel is negotiated to be announced, see
65 /// [`ChannelConfig::announced_channel`] and
66 /// [`ChannelHandshakeLimits::force_announced_channel_preference`] for more.
68 /// Default value: false. This value is likely to change to true in the future.
70 /// [`ChannelManager`]: crate::ln::channelmanager::ChannelManager
71 /// [`DecodeError:InvalidValue`]: crate::ln::msgs::DecodeError::InvalidValue
72 pub negotiate_scid_privacy: bool,
75 impl Default for ChannelHandshakeConfig {
76 fn default() -> ChannelHandshakeConfig {
77 ChannelHandshakeConfig {
79 our_to_self_delay: BREAKDOWN_TIMEOUT,
80 our_htlc_minimum_msat: 1,
81 negotiate_scid_privacy: false,
86 /// Optional channel limits which are applied during channel creation.
88 /// These limits are only applied to our counterparty's limits, not our own.
90 /// Use 0/<type>::max_value() as appropriate to skip checking.
92 /// Provides sane defaults for most configurations.
94 /// Most additional limits are disabled except those with which specify a default in individual
95 /// field documentation. Note that this may result in barely-usable channels, but since they
96 /// are applied mostly only to incoming channels that's not much of a problem.
97 #[derive(Copy, Clone, Debug)]
98 pub struct ChannelHandshakeLimits {
99 /// Minimum allowed satoshis when a channel is funded. This is supplied by the sender and so
100 /// only applies to inbound channels.
102 /// Default value: 0.
103 pub min_funding_satoshis: u64,
104 /// Maximum allowed satoshis when a channel is funded. This is supplied by the sender and so
105 /// only applies to inbound channels.
107 /// Default value: 2^24 - 1.
108 pub max_funding_satoshis: u64,
109 /// The remote node sets a limit on the minimum size of HTLCs we can send to them. This allows
110 /// you to limit the maximum minimum-size they can require.
112 /// Default value: u64::max_value.
113 pub max_htlc_minimum_msat: u64,
114 /// The remote node sets a limit on the maximum value of pending HTLCs to them at any given
115 /// time to limit their funds exposure to HTLCs. This allows you to set a minimum such value.
117 /// Default value: 0.
118 pub min_max_htlc_value_in_flight_msat: u64,
119 /// The remote node will require we keep a certain amount in direct payment to ourselves at all
120 /// time, ensuring that we are able to be punished if we broadcast an old state. This allows to
121 /// you limit the amount which we will have to keep to ourselves (and cannot use for HTLCs).
123 /// Default value: u64::max_value.
124 pub max_channel_reserve_satoshis: u64,
125 /// The remote node sets a limit on the maximum number of pending HTLCs to them at any given
126 /// time. This allows you to set a minimum such value.
128 /// Default value: 0.
129 pub min_max_accepted_htlcs: u16,
130 /// Before a channel is usable the funding transaction will need to be confirmed by at least a
131 /// certain number of blocks, specified by the node which is not the funder (as the funder can
132 /// assume they aren't going to double-spend themselves).
133 /// This config allows you to set a limit on the maximum amount of time to wait.
135 /// Default value: 144, or roughly one day and only applies to outbound channels.
136 pub max_minimum_depth: u32,
137 /// Set to force an incoming channel to match our announced channel preference in
138 /// [`ChannelConfig::announced_channel`].
140 /// For a node which is not online reliably, this should be set to true and
141 /// [`ChannelConfig::announced_channel`] set to false, ensuring that no announced (aka public)
142 /// channels will ever be opened.
144 /// Default value: true.
145 pub force_announced_channel_preference: bool,
146 /// Set to the amount of time we're willing to wait to claim money back to us.
148 /// Not checking this value would be a security issue, as our peer would be able to set it to
149 /// max relative lock-time (a year) and we would "lose" money as it would be locked for a long time.
151 /// Default value: 2016, which we also enforce as a maximum value so you can tweak config to
152 /// reduce the loss of having useless locked funds (if your peer accepts)
153 pub their_to_self_delay: u16
156 impl Default for ChannelHandshakeLimits {
157 fn default() -> Self {
158 ChannelHandshakeLimits {
159 min_funding_satoshis: 0,
160 max_funding_satoshis: MAX_FUNDING_SATOSHIS_NO_WUMBO,
161 max_htlc_minimum_msat: <u64>::max_value(),
162 min_max_htlc_value_in_flight_msat: 0,
163 max_channel_reserve_satoshis: <u64>::max_value(),
164 min_max_accepted_htlcs: 0,
165 max_minimum_depth: 144,
166 force_announced_channel_preference: true,
167 their_to_self_delay: MAX_LOCAL_BREAKDOWN_TIMEOUT,
172 /// Options which apply on a per-channel basis and may change at runtime or based on negotiation
173 /// with our counterparty.
174 #[derive(Copy, Clone, Debug)]
175 pub struct ChannelConfig {
176 /// Amount (in millionths of a satoshi) charged per satoshi for payments forwarded outbound
177 /// over the channel.
178 /// This may be allowed to change at runtime in a later update, however doing so must result in
179 /// update messages sent to notify all nodes of our updated relay fee.
181 /// Default value: 0.
182 pub forwarding_fee_proportional_millionths: u32,
183 /// Amount (in milli-satoshi) charged for payments forwarded outbound over the channel, in
184 /// excess of [`forwarding_fee_proportional_millionths`].
185 /// This may be allowed to change at runtime in a later update, however doing so must result in
186 /// update messages sent to notify all nodes of our updated relay fee.
188 /// The default value of a single satoshi roughly matches the market rate on many routing nodes
189 /// as of July 2021. Adjusting it upwards or downwards may change whether nodes route through
192 /// Default value: 1000.
194 /// [`forwarding_fee_proportional_millionths`]: ChannelConfig::forwarding_fee_proportional_millionths
195 pub forwarding_fee_base_msat: u32,
196 /// The difference in the CLTV value between incoming HTLCs and an outbound HTLC forwarded over
197 /// the channel this config applies to.
199 /// This is analogous to [`ChannelHandshakeConfig::our_to_self_delay`] but applies to in-flight
200 /// HTLC balance when a channel appears on-chain whereas
201 /// [`ChannelHandshakeConfig::our_to_self_delay`] applies to the remaining
202 /// (non-HTLC-encumbered) balance.
204 /// Thus, for HTLC-encumbered balances to be enforced on-chain when a channel is force-closed,
205 /// we (or one of our watchtowers) MUST be online to check for broadcast of the current
206 /// commitment transaction at least once per this many blocks (minus some margin to allow us
207 /// enough time to broadcast and confirm a transaction, possibly with time in between to RBF
208 /// the spending transaction).
210 /// Default value: 72 (12 hours at an average of 6 blocks/hour).
211 /// Minimum value: [`MIN_CLTV_EXPIRY_DELTA`], any values less than this will be treated as
212 /// [`MIN_CLTV_EXPIRY_DELTA`] instead.
214 /// [`MIN_CLTV_EXPIRY_DELTA`]: crate::ln::channelmanager::MIN_CLTV_EXPIRY_DELTA
215 pub cltv_expiry_delta: u16,
216 /// Set to announce the channel publicly and notify all nodes that they can route via this
219 /// This should only be set to true for nodes which expect to be online reliably.
221 /// As the node which funds a channel picks this value this will only apply for new outbound
222 /// channels unless [`ChannelHandshakeLimits::force_announced_channel_preference`] is set.
224 /// This cannot be changed after the initial channel handshake.
226 /// Default value: false.
227 pub announced_channel: bool,
228 /// When set, we commit to an upfront shutdown_pubkey at channel open. If our counterparty
229 /// supports it, they will then enforce the mutual-close output to us matches what we provided
230 /// at intialization, preventing us from closing to an alternate pubkey.
232 /// This is set to true by default to provide a slight increase in security, though ultimately
233 /// any attacker who is able to take control of a channel can just as easily send the funds via
234 /// lightning payments, so we never require that our counterparties support this option.
236 /// This cannot be changed after a channel has been initialized.
238 /// Default value: true.
239 pub commit_upfront_shutdown_pubkey: bool,
240 /// Limit our total exposure to in-flight HTLCs which are burned to fees as they are too
241 /// small to claim on-chain.
243 /// When an HTLC present in one of our channels is below a "dust" threshold, the HTLC will
244 /// not be claimable on-chain, instead being turned into additional miner fees if either
245 /// party force-closes the channel. Because the threshold is per-HTLC, our total exposure
246 /// to such payments may be sustantial if there are many dust HTLCs present when the
247 /// channel is force-closed.
249 /// This limit is applied for sent, forwarded, and received HTLCs and limits the total
250 /// exposure across all three types per-channel. Setting this too low may prevent the
251 /// sending or receipt of low-value HTLCs on high-traffic nodes, and this limit is very
252 /// important to prevent stealing of dust HTLCs by miners.
254 /// Default value: 5_000_000 msat.
255 pub max_dust_htlc_exposure_msat: u64,
256 /// The additional fee we're willing to pay to avoid waiting for the counterparty's
257 /// `to_self_delay` to reclaim funds.
259 /// When we close a channel cooperatively with our counterparty, we negotiate a fee for the
260 /// closing transaction which both sides find acceptable, ultimately paid by the channel
261 /// funder/initiator.
263 /// When we are the funder, because we have to pay the channel closing fee, we bound the
264 /// acceptable fee by our [`Background`] and [`Normal`] fees, with the upper bound increased by
265 /// this value. Because the on-chain fee we'd pay to force-close the channel is kept near our
266 /// [`Normal`] feerate during normal operation, this value represents the additional fee we're
267 /// willing to pay in order to avoid waiting for our counterparty's to_self_delay to reclaim our
270 /// When we are not the funder, we require the closing transaction fee pay at least our
271 /// [`Background`] fee estimate, but allow our counterparty to pay as much fee as they like.
272 /// Thus, this value is ignored when we are not the funder.
274 /// Default value: 1000 satoshis.
276 /// [`Normal`]: crate::chain::chaininterface::ConfirmationTarget::Normal
277 /// [`Background`]: crate::chain::chaininterface::ConfirmationTarget::Background
278 pub force_close_avoidance_max_fee_satoshis: u64,
281 impl Default for ChannelConfig {
282 /// Provides sane defaults for most configurations (but with zero relay fees!).
283 fn default() -> Self {
285 forwarding_fee_proportional_millionths: 0,
286 forwarding_fee_base_msat: 1000,
287 cltv_expiry_delta: 6 * 12, // 6 blocks/hour * 12 hours
288 announced_channel: false,
289 commit_upfront_shutdown_pubkey: true,
290 max_dust_htlc_exposure_msat: 5_000_000,
291 force_close_avoidance_max_fee_satoshis: 1000,
296 impl_writeable_tlv_based!(ChannelConfig, {
297 (0, forwarding_fee_proportional_millionths, required),
298 (1, max_dust_htlc_exposure_msat, (default_value, 5_000_000)),
299 (2, cltv_expiry_delta, required),
300 (3, force_close_avoidance_max_fee_satoshis, (default_value, 1000)),
301 (4, announced_channel, required),
302 (6, commit_upfront_shutdown_pubkey, required),
303 (8, forwarding_fee_base_msat, required),
306 /// Top-level config which holds ChannelHandshakeLimits and ChannelConfig.
308 /// Default::default() provides sane defaults for most configurations
309 /// (but currently with 0 relay fees!)
310 #[derive(Copy, Clone, Debug)]
311 pub struct UserConfig {
312 /// Channel config that we propose to our counterparty.
313 pub own_channel_config: ChannelHandshakeConfig,
314 /// Limits applied to our counterparty's proposed channel config settings.
315 pub peer_channel_config_limits: ChannelHandshakeLimits,
316 /// Channel config which affects behavior during channel lifetime.
317 pub channel_options: ChannelConfig,
318 /// If this is set to false, we will reject any HTLCs which were to be forwarded over private
319 /// channels. This prevents us from taking on HTLC-forwarding risk when we intend to run as a
320 /// node which is not online reliably.
322 /// For nodes which are not online reliably, you should set all channels to *not* be announced
323 /// (using [`ChannelConfig::announced_channel`] and
324 /// [`ChannelHandshakeLimits::force_announced_channel_preference`]) and set this to false to
325 /// ensure you are not exposed to any forwarding risk.
327 /// Note that because you cannot change a channel's announced state after creation, there is no
328 /// way to disable forwarding on public channels retroactively. Thus, in order to change a node
329 /// from a publicly-announced forwarding node to a private non-forwarding node you must close
330 /// all your channels and open new ones. For privacy, you should also change your node_id
331 /// (swapping all private and public key material for new ones) at that time.
333 /// Default value: false.
334 pub accept_forwards_to_priv_channels: bool,
335 /// If this is set to false, we do not accept inbound requests to open a new channel.
336 /// Default value: true.
337 pub accept_inbound_channels: bool,
338 /// If this is set to true, the user needs to manually accept inbound requests to open a new
341 /// When set to true, [`Event::OpenChannelRequest`] will be triggered once a request to open a
342 /// new inbound channel is received through a [`msgs::OpenChannel`] message. In that case, a
343 /// [`msgs::AcceptChannel`] message will not be sent back to the counterparty node unless the
344 /// user explicitly chooses to accept the request.
346 /// Default value: false.
348 /// [`Event::OpenChannelRequest`]: crate::util::events::Event::OpenChannelRequest
349 /// [`msgs::OpenChannel`]: crate::ln::msgs::OpenChannel
350 /// [`msgs::AcceptChannel`]: crate::ln::msgs::AcceptChannel
351 pub manually_accept_inbound_channels: bool,
354 impl Default for UserConfig {
355 fn default() -> Self {
357 own_channel_config: ChannelHandshakeConfig::default(),
358 peer_channel_config_limits: ChannelHandshakeLimits::default(),
359 channel_options: ChannelConfig::default(),
360 accept_forwards_to_priv_channels: false,
361 accept_inbound_channels: true,
362 manually_accept_inbound_channels: false,