Extend protocol and firewall manager to handle old management (#915)

* Extend protocol and firewall manager to handle old management * Send correct empty firewall rules list when delete peer * Add extra tests for firewall manager and uspfilter * Work with inconsistent state * Review note * Update comment
2025-06-30 22:50:22 +02:00 · 2023-05-31 21:04:38 +04:00
parent 45a6263adc
commit 293499c3c0
13 changed files with 362 additions and 220 deletions
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@ -637,7 +637,13 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	}

 	if e.acl != nil {
-		e.acl.ApplyFiltering(networkMap.FirewallRules)
+		// if we got empty rules list but management not set networkMap.FirewallRulesIsEmpty flag
+		// we have old version of management without rules handling, we should allow all traffic
+		allowByDefault := len(networkMap.FirewallRules) == 0 && !networkMap.FirewallRulesIsEmpty
+		if allowByDefault {
+			log.Warn("this peer is connected to a NetBird Management service with an older version. Allowing all traffic from connected peers")
+		}
+		e.acl.ApplyFiltering(networkMap.FirewallRules, allowByDefault)
 	}
 	e.networkSerial = serial
 	return nil