From 2a118cdacdac0e874605c772477812e7ebf929ed Mon Sep 17 00:00:00 2001
From: sprites0 <199826320+sprites0@users.noreply.github.com>
Date: Wed, 5 Nov 2025 07:38:24 +0000
Subject: [PATCH] feat: Default to localhost-only network, add
 --allow-network-overrides

Network now defaults to localhost-only (local discovery/listener, no DNS/NAT).
Use --allow-network-overrides flag to restore CLI-based network configuration.
---
 src/main.rs             |  7 +++++--
 src/node/cli.rs         |  7 +++++++
 src/node/mod.rs         |  4 ++++
 src/node/network/mod.rs | 32 +++++++++++++++++++++++---------
 4 files changed, 39 insertions(+), 11 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 396aba9fb..9c446f297 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -39,8 +39,11 @@ fn main() -> eyre::Result<()> {
          ext: HlNodeArgs| async move {
             let default_upstream_rpc_url = builder.config().chain.official_rpc_url();
 
-            let (node, engine_handle_tx) =
-                HlNode::new(ext.block_source_args.parse().await?, ext.debug_cutoff_height);
+            let (node, engine_handle_tx) = HlNode::new(
+                ext.block_source_args.parse().await?,
+                ext.debug_cutoff_height,
+                ext.allow_network_overrides,
+            );
             let NodeHandle { node, node_exit_future: exit_future } = builder
                 .node(node)
                 .extend_rpc_modules(move |mut ctx| {
diff --git a/src/node/cli.rs b/src/node/cli.rs
index 44990f70e..67995eb2f 100644
--- a/src/node/cli.rs
+++ b/src/node/cli.rs
@@ -82,6 +82,13 @@ pub struct HlNodeArgs {
     /// * Refers to the Merkle trie used for eth_getProof and state root, not actual state values.
     #[arg(long, env = "EXPERIMENTAL_ETH_GET_PROOF")]
     pub experimental_eth_get_proof: bool,
+
+    /// Allow network configuration overrides from CLI.
+    ///
+    /// When enabled, network settings (discovery_addr, listener_addr, dns_discovery, nat)
+    /// will be taken from CLI arguments instead of being hardcoded to localhost-only defaults.
+    #[arg(long, env = "ALLOW_NETWORK_OVERRIDES")]
+    pub allow_network_overrides: bool,
 }
 
 /// The main reth_hl cli interface.
diff --git a/src/node/mod.rs b/src/node/mod.rs
index 48761ccb9..5726edebc 100644
--- a/src/node/mod.rs
+++ b/src/node/mod.rs
@@ -51,12 +51,14 @@ pub struct HlNode {
     engine_handle_rx: Arc<Mutex<Option<oneshot::Receiver<ConsensusEngineHandle<HlPayloadTypes>>>>>,
     block_source_config: BlockSourceConfig,
     debug_cutoff_height: Option<u64>,
+    allow_network_overrides: bool,
 }
 
 impl HlNode {
     pub fn new(
         block_source_config: BlockSourceConfig,
         debug_cutoff_height: Option<u64>,
+        allow_network_overrides: bool,
     ) -> (Self, oneshot::Sender<ConsensusEngineHandle<HlPayloadTypes>>) {
         let (tx, rx) = oneshot::channel();
         (
@@ -64,6 +66,7 @@ impl HlNode {
                 engine_handle_rx: Arc::new(Mutex::new(Some(rx))),
                 block_source_config,
                 debug_cutoff_height,
+                allow_network_overrides,
             },
             tx,
         )
@@ -95,6 +98,7 @@ impl HlNode {
                 engine_handle_rx: self.engine_handle_rx.clone(),
                 block_source_config: self.block_source_config.clone(),
                 debug_cutoff_height: self.debug_cutoff_height,
+                allow_network_overrides: self.allow_network_overrides,
             })
             .consensus(HlConsensusBuilder::default())
     }
diff --git a/src/node/network/mod.rs b/src/node/network/mod.rs
index 70ed586c2..d0c1c3c39 100644
--- a/src/node/network/mod.rs
+++ b/src/node/network/mod.rs
@@ -25,7 +25,10 @@ use reth_network::{NetworkConfig, NetworkHandle, NetworkManager};
 use reth_network_api::PeersInfo;
 use reth_provider::StageCheckpointReader;
 use reth_stages_types::StageId;
-use std::sync::Arc;
+use std::{
+    net::{Ipv4Addr, SocketAddr},
+    sync::Arc,
+};
 use tokio::sync::{Mutex, mpsc, oneshot};
 use tracing::info;
 
@@ -144,6 +147,8 @@ pub struct HlNetworkBuilder {
     pub(crate) block_source_config: BlockSourceConfig,
 
     pub(crate) debug_cutoff_height: Option<u64>,
+
+    pub(crate) allow_network_overrides: bool,
 }
 
 impl HlNetworkBuilder {
@@ -174,15 +179,24 @@ impl HlNetworkBuilder {
             ImportService::new(consensus, handle, from_network, to_network).await.unwrap();
         });
 
-        Ok(ctx.build_network_config(
-            ctx.network_config_builder()?
+        let mut config_builder = ctx.network_config_builder()?;
+
+        // Only apply localhost-only network settings if network overrides are NOT allowed
+        if !self.allow_network_overrides {
+            config_builder = config_builder
+                .discovery_addr(SocketAddr::new(Ipv4Addr::LOCALHOST.into(), 0))
+                .listener_addr(SocketAddr::new(Ipv4Addr::LOCALHOST.into(), 0))
                 .disable_dns_discovery()
-                .disable_nat()
-                .boot_nodes(boot_nodes())
-                .set_head(ctx.head())
-                .with_pow()
-                .block_import(Box::new(HlBlockImport::new(handle))),
-        ))
+                .disable_nat();
+        }
+
+        config_builder = config_builder
+            .boot_nodes(boot_nodes())
+            .set_head(ctx.head())
+            .with_pow()
+            .block_import(Box::new(HlBlockImport::new(handle)));
+
+        Ok(ctx.build_network_config(config_builder))
     }
 }