net: respect -onlynet= when making outbound connections

Do not make outbound connections to hosts which belong to a network
which is restricted by `-onlynet`.

This applies to hosts that are automatically chosen to connect to and to
anchors.

This does not apply to hosts given to `-connect`, `-addnode`,
`addnode` RPC, dns seeds, `-seednodes`.

Fixes https://github.com/bitcoin/bitcoin/issues/13378
Fixes https://github.com/bitcoin/bitcoin/issues/22647
Supersedes https://github.com/bitcoin/bitcoin/pull/22651

1 files changed, 16 insertions, 1 deletions

diff --git a/src/torcontrol.cpp b/src/torcontrol.cpp
index 55618a5c57..fdf1957bff 100644
--- a/src/torcontrol.cpp
+++ b/src/torcontrol.cpp
@@ -380,7 +380,22 @@ void TorController::auth_cb(TorControlConnection& _conn, const TorControlReply&
             CService resolved(LookupNumeric("127.0.0.1", 9050));
             proxyType addrOnion = proxyType(resolved, true);
             SetProxy(NET_ONION, addrOnion);
-            SetReachable(NET_ONION, true);
+
+            const auto onlynets = gArgs.GetArgs("-onlynet");
+
+            const bool onion_allowed_by_onlynet{
+                !gArgs.IsArgSet("-onlynet") ||
+                std::any_of(onlynets.begin(), onlynets.end(), [](const auto& n) {
+                    return ParseNetwork(n) == NET_ONION;
+                })};
+
+            if (onion_allowed_by_onlynet) {
+                // If NET_ONION is reachable, then the below is a noop.
+                //
+                // If NET_ONION is not reachable, then none of -proxy or -onion was given.
+                // Since we are here, then -torcontrol and -torpassword were given.
+                SetReachable(NET_ONION, true);
+            }
         }
 
         // Finally - now create the service