netbird/client/internal/routemanager/firewall_linux.go

//go:build !android

package routemanager

import (
	"context"
	"fmt"

	log "github.com/sirupsen/logrus"

	"github.com/netbirdio/netbird/client/internal/checkfw"
)

const (
	ipv6Forwarding     = "netbird-rt-ipv6-forwarding"
	ipv4Forwarding     = "netbird-rt-ipv4-forwarding"
	ipv6Nat            = "netbird-rt-ipv6-nat"
	ipv4Nat            = "netbird-rt-ipv4-nat"
	natFormat          = "netbird-nat-%s"
	forwardingFormat   = "netbird-fwd-%s"
	inNatFormat        = "netbird-nat-in-%s"
	inForwardingFormat = "netbird-fwd-in-%s"
	ipv6               = "ipv6"
	ipv4               = "ipv4"
)

func genKey(format string, input string) string {
	return fmt.Sprintf(format, input)
}

// newFirewall if supported, returns an iptables manager, otherwise returns a nftables manager
func newFirewall(parentCTX context.Context) (firewallManager, error) {
	checkResult := checkfw.Check()
	switch checkResult {
	case checkfw.IPTABLES, checkfw.IPTABLESWITHV6:
		log.Debug("creating an iptables firewall manager for route rules")
		ipv6Supported := checkResult == checkfw.IPTABLESWITHV6
		return newIptablesManager(parentCTX, ipv6Supported)
	case checkfw.NFTABLES:
		log.Info("creating an nftables firewall manager for route rules")
		return newNFTablesManager(parentCTX), nil
	}

	return nil, fmt.Errorf("couldn't initialize nftables or iptables clients. Using a dummy firewall manager for route rules")
}

func getInPair(pair routerPair) routerPair {
	return routerPair{
		ID: pair.ID,
		// invert source/destination
		source:      pair.destination,
		destination: pair.source,
		masquerade:  pair.masquerade,
	}
}
Add route management for Android interface (#801) Support client route management feature on Android 2023-04-17 11:15:37 +02:00			`//go:build !android`

Add routing peer support (#441) Handle routes updates from management Manage routing firewall rules Manage peer RIB table Add get peer and get notification channel from the status recorder Update interface peers allowed IPs 2022-09-05 09:06:35 +02:00			`package routemanager`

			`import (`
			`"context"`
			`"fmt"`
Add route management for Android interface (#801) Support client route management feature on Android 2023-04-17 11:15:37 +02:00
Add routing peer support (#441) Handle routes updates from management Manage routing firewall rules Manage peer RIB table Add get peer and get notification channel from the status recorder Update interface peers allowed IPs 2022-09-05 09:06:35 +02:00			`log "github.com/sirupsen/logrus"`
Add default firewall rule to allow netbird traffic (#1056) Add a default firewall rule to allow netbird traffic to be handled by the access control managers. Userspace manager behavior: - When running on Windows, a default rule is add on Windows firewall - For Linux, we are using one of the Kernel managers to add a single rule - This PR doesn't handle macOS Kernel manager behavior: - For NFtables, if there is a filter table, an INPUT rule is added - Iptables follows the previous flow if running on kernel mode. If running on userspace mode, it adds a single rule for INPUT and OUTPUT chains A new checkerFW package has been introduced to consolidate checks across route and access control managers. It supports a new environment variable to skip nftables and allow iptables tests 2023-09-05 21:07:32 +02:00
			`"github.com/netbirdio/netbird/client/internal/checkfw"`
Add routing peer support (#441) Handle routes updates from management Manage routing firewall rules Manage peer RIB table Add get peer and get notification channel from the status recorder Update interface peers allowed IPs 2022-09-05 09:06:35 +02:00			`)`

			`const (`
Add incoming routing rules (#486) add an income firewall rule for each routing pair the pair for the income rule has inverted source and destination 2022-09-30 11:39:15 +02:00			`ipv6Forwarding = "netbird-rt-ipv6-forwarding"`
			`ipv4Forwarding = "netbird-rt-ipv4-forwarding"`
			`ipv6Nat = "netbird-rt-ipv6-nat"`
			`ipv4Nat = "netbird-rt-ipv4-nat"`
			`natFormat = "netbird-nat-%s"`
			`forwardingFormat = "netbird-fwd-%s"`
			`inNatFormat = "netbird-nat-in-%s"`
			`inForwardingFormat = "netbird-fwd-in-%s"`
			`ipv6 = "ipv6"`
			`ipv4 = "ipv4"`
Add routing peer support (#441) Handle routes updates from management Manage routing firewall rules Manage peer RIB table Add get peer and get notification channel from the status recorder Update interface peers allowed IPs 2022-09-05 09:06:35 +02:00			`)`

			`func genKey(format string, input string) string {`
			`return fmt.Sprintf(format, input)`
			`}`

Add default firewall rule to allow netbird traffic (#1056) Add a default firewall rule to allow netbird traffic to be handled by the access control managers. Userspace manager behavior: - When running on Windows, a default rule is add on Windows firewall - For Linux, we are using one of the Kernel managers to add a single rule - This PR doesn't handle macOS Kernel manager behavior: - For NFtables, if there is a filter table, an INPUT rule is added - Iptables follows the previous flow if running on kernel mode. If running on userspace mode, it adds a single rule for INPUT and OUTPUT chains A new checkerFW package has been introduced to consolidate checks across route and access control managers. It supports a new environment variable to skip nftables and allow iptables tests 2023-09-05 21:07:32 +02:00			`// newFirewall if supported, returns an iptables manager, otherwise returns a nftables manager`
			`func newFirewall(parentCTX context.Context) (firewallManager, error) {`
			`checkResult := checkfw.Check()`
			`switch checkResult {`
			`case checkfw.IPTABLES, checkfw.IPTABLESWITHV6:`
			`log.Debug("creating an iptables firewall manager for route rules")`
			`ipv6Supported := checkResult == checkfw.IPTABLESWITHV6`
			`return newIptablesManager(parentCTX, ipv6Supported)`
			`case checkfw.NFTABLES:`
			`log.Info("creating an nftables firewall manager for route rules")`
			`return newNFTablesManager(parentCTX), nil`
Routemgr error handling (#1073) In case the route management feature is not supported then do not create unnecessary firewall and manager instances. This can happen if the nftables nor iptables is not available on the host OS. - Move the error handling to upper layer - Remove fake, useless implementations of interfaces - Update go-iptables because In Docker the old version can not determine well the path of executable file - update lib to 0.70 2023-08-12 11:42:36 +02:00			`}`
Add default firewall rule to allow netbird traffic (#1056) Add a default firewall rule to allow netbird traffic to be handled by the access control managers. Userspace manager behavior: - When running on Windows, a default rule is add on Windows firewall - For Linux, we are using one of the Kernel managers to add a single rule - This PR doesn't handle macOS Kernel manager behavior: - For NFtables, if there is a filter table, an INPUT rule is added - Iptables follows the previous flow if running on kernel mode. If running on userspace mode, it adds a single rule for INPUT and OUTPUT chains A new checkerFW package has been introduced to consolidate checks across route and access control managers. It supports a new environment variable to skip nftables and allow iptables tests 2023-09-05 21:07:32 +02:00
			`return nil, fmt.Errorf("couldn't initialize nftables or iptables clients. Using a dummy firewall manager for route rules")`
FIx error on ip6tables not available (#999) * adding check operation to confirm if iptables is available linter * linter 2023-07-14 20:44:35 +02:00			`}`

Add incoming routing rules (#486) add an income firewall rule for each routing pair the pair for the income rule has inverted source and destination 2022-09-30 11:39:15 +02:00			`func getInPair(pair routerPair) routerPair {`
			`return routerPair{`
			`ID: pair.ID,`
			`// invert source/destination`
			`source: pair.destination,`
			`destination: pair.source,`
			`masquerade: pair.masquerade,`
			`}`
			`}`