_ Git - rust-lightning/commit

author	Matt Corallo <git@bluematt.me>
	Thu, 23 Jun 2022 21:25:17 +0000 (21:25 +0000)
committer	Matt Corallo <git@bluematt.me>
	Sat, 25 Jun 2022 02:25:32 +0000 (02:25 +0000)
commit	caa2a9a55bc92e5140d33c37ce0f7a95777c826d
tree	c953246f2ecd47777748e02baa2cb56b52126ce9	tree \| snapshot
parent	5ed3f25b21a4dcd9075e550735dc688d820b9f41	commit \| diff

Panic if we're running with outdated state instead of force-closing

When we receive a `channel_reestablish` with a `data_loss_protect`
that proves we're running with a stale state, instead of
force-closing the channel, we immediately panic. This lines up with
our refusal to run if we find a `ChannelMonitor` which is stale
compared to our `ChannelManager` during `ChannelManager`
deserialization. Ultimately both are an indication of the same
thing - that the API requirements on `chain::Watch` were violated.

In the "running with outdated state but ChannelMonitor(s) and
ChannelManager lined up" case specifically its likely we're running
off of an old backup, in which case connecting to peers with
channels still live is explicitly dangerous. That said, because
this could be an operator error that is correctable, panicing
instead of force-closing may allow for normal operation again in
the future (cc #1207).

In any case, we provide instructions in the panic message for how
to force-close channels prior to peer connection, as well as a note
on how to broadcast the latest state if users are willing to take
the risk.

Note that this is still somewhat unsafe until we resolve #1563.

lightning/src/ln/channel.rs		diff \| blob \| history
lightning/src/ln/channelmanager.rs		diff \| blob \| history
lightning/src/ln/functional_tests.rs		diff \| blob \| history