Optionally reject HTLC forwards over priv chans with a new config

[rust-lightning] / lightning / src / util / config.rs

diff --git a/lightning/src/util/config.rs b/lightning/src/util/config.rs
index f3fd0ce70793451fbe6e58ce3e2efc81ca84b3b5..2e9e8e036b5032d58a40d1748e92d1f70eb200cf 100644 (file)
--- a/lightning/src/util/config.rs
+++ b/lightning/src/util/config.rs
@@ -105,11 +105,14 @@ pub struct ChannelHandshakeLimits {
        ///
        /// Default value: 144, or roughly one day and only applies to outbound channels.
        pub max_minimum_depth: u32,
-       /// Set to force the incoming channel to match our announced channel preference in
-       /// ChannelConfig.
+       /// Set to force an incoming channel to match our announced channel preference in
+       /// [`ChannelConfig::announced_channel`].
        ///
-       /// Default value: true, to make the default that no announced channels are possible (which is
-       /// appropriate for any nodes which are not online very reliably).
+       /// For a node which is not online reliably, this should be set to true and
+       /// [`ChannelConfig::announced_channel`] set to false, ensuring that no announced (aka public)
+       /// channels will ever be opened.
+       ///
+       /// Default value: true.
        pub force_announced_channel_preference: bool,
        /// Set to the amount of time we're willing to wait to claim money back to us.
        ///
@@ -186,7 +189,7 @@ pub struct ChannelConfig {
        /// This should only be set to true for nodes which expect to be online reliably.
        ///
        /// As the node which funds a channel picks this value this will only apply for new outbound
-       /// channels unless ChannelHandshakeLimits::force_announced_channel_preferences is set.
+       /// channels unless [`ChannelHandshakeLimits::force_announced_channel_preference`] is set.
        ///
        /// This cannot be changed after the initial channel handshake.
        ///
@@ -239,6 +242,23 @@ pub struct UserConfig {
        pub peer_channel_config_limits: ChannelHandshakeLimits,
        /// Channel config which affects behavior during channel lifetime.
        pub channel_options: ChannelConfig,
+       /// If this is set to false, we will reject any HTLCs which were to be forwarded over private
+       /// channels. This prevents us from taking on HTLC-forwarding risk when we intend to run as a
+       /// node which is not online reliably.
+       ///
+       /// For nodes which are not online reliably, you should set all channels to *not* be announced
+       /// (using [`ChannelConfig::announced_channel`] and
+       /// [`ChannelHandshakeLimits::force_announced_channel_preference`]) and set this to false to
+       /// ensure you are not exposed to any forwarding risk.
+       ///
+       /// Note that because you cannot change a channel's announced state after creation, there is no
+       /// way to disable forwarding on public channels retroactively. Thus, in order to change a node
+       /// from a publicly-announced forwarding node to a private non-forwarding node you must close
+       /// all your channels and open new ones. For privacy, you should also change your node_id
+       /// (swapping all private and public key material for new ones) at that time.
+       ///
+       /// Default value: false.
+       pub accept_forwards_to_priv_channels: bool,
 }
 
 impl Default for UserConfig {
@@ -247,6 +267,7 @@ impl Default for UserConfig {
                        own_channel_config: ChannelHandshakeConfig::default(),
                        peer_channel_config_limits: ChannelHandshakeLimits::default(),
                        channel_options: ChannelConfig::default(),
+                       accept_forwards_to_priv_channels: false,
                }
        }
 }