We need some way to reflect the tradeoff between the possible delay if
a payment gets stuck, and the fees charged by nodes. This adds a risk
factor which reflects the probability that a node goes down, and the
cost associated with losing access to our funds for a given time.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
I had some nonsensical columns, eg "bool ours", but sqlite3 pretty much
ignores them. Use macros so mistakes are harder to make.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This is important when we put payments in the database: they need to be
updated atomically as the HTLC is.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This is important when we put payments in the database: they need to be
updated atomically as the HTLC is.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We had enum channel_side (OURS, THEIRS) for which end of a channel we
had, and htlc_side (LOCAL, REMOTE) for who proposed the HTLC.
Combine these both into simply "enum side".
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
In particular, make sure B can just afford it, then have the A add a
HTLC which means B can no longer afford the fees, and A should cover
it.
We do this by modifying the previous overlapping-fail test, but we
need to have B offer it the htlc before A does: racy in the normal
autocommit case. So we do a manual commit here, always.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
When they propose an HTLC to us, they need to be able to cover both it,
and the associated fees. When it gets acked and applied to them, however,
they may no longer be able to afford the fees; this is OK and expected.
So add a flag to say whether they can dig into fees or not: without
this patch the code calls fatal() on the next patch which tests it.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We create a logging object when we connect, then carry it through. If
it comes from the database, we just use the peerid as the log prefix.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
If we haven't received their closing signature yet, we might try to
send the closing packet anyway (and segfault). Make sure we have
their signature before trying that.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This is less convenient to use, but makes far more sense for a real
user (like a wallet). It can ask about the route, then decide whether
to use it or not.
This will make even more sense once we add a parameter to control how
long we let the HTLC be delayed for, so a client can query for high,
medium and low tolerances and compare results.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We stopped automatically retransmitting locally-generated add/removes
after a reconnect, but this breaks the "pay" interface as it stands.
The correct solution to this is to make the pay interface idempotent:
you can trigger it as many times as you want and it will only succeed
once.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
If we've not relayed a failure yet (ie. we relayed it instantly, but it
wasn't confirmed), we need to redo it.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
It's not currently encrypted, but at least you get some idea now why
an HTLC failed. We (ab)use HTTP error codes for the moment.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
These low level commands we restarted on reconnect for ease of
testing. Don't do that, and check that we're connected when those
commands occur.
This introduces subtle issues with --manual-commit --reconnect: restarting
node1 also forgets uncommitted things from node2, requiring reordering for
some tests.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We capture the output in case we need to resubmit the command after restarting,
but we weren't printing it out on failure (set -e means we'd stop immediately).
As a side-effect of this change, we don't restart after failed
commands, which caused another bug: we were writing the 2->3 route to
the config file, but not restarting again, so we lost the route.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
If we send an HTLC #1, then get disconnected before a confirm, we will
forget it. But we've incremented peer->htlc_id_counter, so when we offer
it again we'll make it HTLC #2, which is non-consecutive.
To make this clear, we always start htlc ids at 0 now. That revealed
the bugs handled in the previous patch.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
We don't have an ordering of HTLCs between peers: we don't know
whether your HTLC 0 or my HTLC 0 occurred first. This matters,
as we play them all back to reconstruct state (probably overkill anyway).
So we add force_* operators which don't do bounds checks, and do
bounds checks at the end. We also note that we don't need to apply
fee changes: that should be in the database already.
Also relax db constraints: IDs are not unique, they are unique per
side (we can both have HTLC #0).
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
The first hop is being stripped from computed routes, however the
first channel of the route is being used to get our peer address. This
results in segfaults if the route is just one hop, i.e., has no first
channel to get the peer's address from. Fixed by simply using an
existing pointer to our peer.
