Open
Conversation
Third-party peers (e.g. via DHT gossip) can flood the peerstore with stale or misconfigured addresses for a single peer id. Real-world delegated-routing responses top out around 26 addrs per well-connected node, but a misbehaving peer can push hundreds before the global peerstore cap kicks in, crowding out good addrs during dial selection. Bound the stored unconnected addrs per peer to 64 by default and evict the unconnected entry with the nearest expiry when the cap is reached. This naturally sheds short-TTL gossip (TempAddrTTL) before longer-lived identify-backed entries (RecentlyConnectedAddrTTL) without tracking provenance. Addrs held by a live connection are never counted toward the cap and never evicted. - `WithMaxAddressesPerPeer(n)` lets callers tune the cap. - Enforcement lives in `addAddrsUnlocked` and `SetAddrs`, the two write paths that can grow the per-peer set. - Shared-suite `SetNegativeTTLClears` adds 100 addrs, above the new default; the inmem test factory raises the cap to 10000 so the shared suite keeps exercising general behavior rather than the cap path.
lidel
changed the title
Mirror the per-peer address cap from pstoremem in the datastore-backed addr book so both backends bound peerstore pollution from sources like DHT gossip. Adds Options.MaxAddrsPerPeer (default 64); when full, the unconnected entry with the nearest expiry is evicted before the new entry is inserted. Addresses held by a live connection (TTL >= ConnectedAddrTTL) are not counted and never evicted. A non-positive cap now disables the check in both backends, so WithMaxAddressesPerPeer(0) and Options.MaxAddrsPerPeer = 0 opt out cleanly. Shared suite fixtures use that switch instead of an arbitrary high number.
lidel
commented
Apr 15, 2026
MarcoPolo
approved these changes
Apr 17, 2026
Co-authored-by: Marco Munizaga <git@marcopolo.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
This is another fix that aims to reduce stale addr accumulation (defensive, on Consumer side).
Problem
Third-party peers (e.g. via DHT gossip) can flood the peerstore with stale or misconfigured addresses for a single peer id. Real-world delegated-routing responses top out around 26 addrs per well-connected node, but a misbehaving peer can push hundreds before the global peerstore cap kicks in, crowding out good addrs during dial selection.
This PR
Bound the stored unconnected addrs per peer to 64 by default and evict the unconnected entry with the nearest expiry when the cap is reached. This naturally sheds short-TTL gossip (TempAddrTTL) before longer-lived identify-backed entries (RecentlyConnectedAddrTTL) without tracking provenance. Addrs held by a live connection are never counted toward the cap and never evicted.
WithMaxAddressesPerPeer(n)lets callers tune the cap.addAddrsUnlockedandSetAddrs, the two write paths that can grow the per-peer set.SetNegativeTTLClearsadds 100 addrs, above the new default; the inmem test factory raises the cap to 10000 so the shared suite keeps exercising general behavior rather than the cap path.Open Questions