Add default firewall rule to allow netbird traffic (#1056)

Add a default firewall rule to allow netbird traffic to be handled by the access control managers. Userspace manager behavior: - When running on Windows, a default rule is add on Windows firewall - For Linux, we are using one of the Kernel managers to add a single rule - This PR doesn't handle macOS Kernel manager behavior: - For NFtables, if there is a filter table, an INPUT rule is added - Iptables follows the previous flow if running on kernel mode. If running on userspace mode, it adds a single rule for INPUT and OUTPUT chains A new checkerFW package has been introduced to consolidate checks across route and access control managers. It supports a new environment variable to skip nftables and allow iptables tests
2025-08-15 17:52:47 +02:00 · 2023-09-05 23:07:32 +04:00
parent e4bc76c4de
commit 246abda46d
24 changed files with 568 additions and 153 deletions
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@ -3,11 +3,12 @@ package routemanager
 import (
 	"context"
 	"fmt"
-	"github.com/pion/transport/v2/stdnet"
 	"net/netip"
 	"runtime"
 	"testing"

+	"github.com/pion/transport/v2/stdnet"
+
 	"github.com/stretchr/testify/require"

 	"github.com/netbirdio/netbird/client/internal/peer"
@ -30,6 +31,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 		inputInitRoutes               []*route.Route
 		inputRoutes                   []*route.Route
 		inputSerial                   uint64
+		removeSrvRouter               bool
 		serverRoutesExpected          int
 		clientNetworkWatchersExpected int
 	}{
@ -117,6 +119,35 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			serverRoutesExpected:          1,
 			clientNetworkWatchersExpected: 1,
 		},
+		{
+			name: "Should Create 1 Route For Client and Skip Server Route On Empty Server Router",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("100.64.30.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.9.9/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			removeSrvRouter:               true,
+			serverRoutesExpected:          0,
+			clientNetworkWatchersExpected: 1,
+		},
 		{
 			name: "Should Create 1 HA Route and 1 Standalone",
 			inputRoutes: []*route.Route{
@ -385,6 +416,10 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder, nil)
 			defer routeManager.Stop()

+			if testCase.removeSrvRouter {
+				routeManager.serverRouter = nil
+			}
+
 			if len(testCase.inputInitRoutes) > 0 {
 				err = routeManager.UpdateRoutes(testCase.inputSerial, testCase.inputRoutes)
 				require.NoError(t, err, "should update routes with init routes")
@ -395,7 +430,7 @@ func TestManagerUpdateRoutes(t *testing.T) {

 			require.Len(t, routeManager.clientNetworks, testCase.clientNetworkWatchersExpected, "client networks size should match")

-			if runtime.GOOS == "linux" {
+			if runtime.GOOS == "linux" && routeManager.serverRouter != nil {
 				sr := routeManager.serverRouter.(*defaultServerRouter)
 				require.Len(t, sr.routes, testCase.serverRoutesExpected, "server networks size should match")
 			}