diff --git a/client/firewall/uspfilter/uspfilter.go b/client/firewall/uspfilter/uspfilter.go index eb4438dbd..466065d31 100644 --- a/client/firewall/uspfilter/uspfilter.go +++ b/client/firewall/uspfilter/uspfilter.go @@ -678,7 +678,7 @@ func (m *Manager) dropFilter(packetData []byte, size int) bool { return m.handleLocalTraffic(d, srcIP, dstIP, packetData, size) } - return m.handleRoutedTraffic(d, srcIP, dstIP, packetData) + return m.handleRoutedTraffic(d, srcIP, dstIP, packetData, size) } // handleLocalTraffic handles local traffic. @@ -739,7 +739,7 @@ func (m *Manager) handleNetstackLocalTraffic(packetData []byte) bool { // handleRoutedTraffic handles routed traffic. // If it returns true, the packet should be dropped. -func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte) bool { +func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool { // Drop if routing is disabled if !m.routingEnabled.Load() { m.logger.Trace("Dropping routed packet (routing disabled): src=%s dst=%s", @@ -749,6 +749,7 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe // Pass to native stack if native router is enabled or forced if m.nativeRouter.Load() { + m.trackInbound(d, srcIP, dstIP, nil, size) return false } @@ -770,6 +771,8 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe SourcePort: srcPort, DestPort: dstPort, // TODO: icmp type/code + RxPackets: 1, + RxBytes: uint64(size), }) return true } diff --git a/client/internal/engine.go b/client/internal/engine.go index 6ae494312..260e807a0 100644 --- a/client/internal/engine.go +++ b/client/internal/engine.go @@ -952,11 +952,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error { return nil } - // Apply ACLs in the beginning to avoid security leaks - if e.acl != nil { - e.acl.ApplyFiltering(networkMap) - } - if e.firewall != nil { if localipfw, ok := e.firewall.(localIpUpdater); ok { if err := localipfw.UpdateLocalIPs(); err != nil { @@ -975,6 +970,11 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error { log.Errorf("failed to update clientRoutes, err: %v", err) } + // acls might need routing to be enabled, so we apply after routes + if e.acl != nil { + e.acl.ApplyFiltering(networkMap) + } + // Ingress forward rules if err := e.updateForwardRules(networkMap.GetForwardingRules()); err != nil { log.Errorf("failed to update forward rules, err: %v", err) diff --git a/client/internal/routemanager/server_nonandroid.go b/client/internal/routemanager/server_nonandroid.go index ac2233d4e..f8b10e8af 100644 --- a/client/internal/routemanager/server_nonandroid.go +++ b/client/internal/routemanager/server_nonandroid.go @@ -55,6 +55,18 @@ func (m *serverRouter) updateRoutes(routesMap map[route.ID]*route.Route) error { delete(m.routes, routeID) } + // If routing is to be disabled, do it after routes have been removed + // If routing is to be enabled, do it before adding new routes; addToServerNetwork needs routing to be enabled + if len(routesMap) > 0 { + if err := m.firewall.EnableRouting(); err != nil { + return fmt.Errorf("enable routing: %w", err) + } + } else { + if err := m.firewall.DisableRouting(); err != nil { + return fmt.Errorf("disable routing: %w", err) + } + } + for id, newRoute := range routesMap { _, found := m.routes[id] if found { @@ -69,16 +81,6 @@ func (m *serverRouter) updateRoutes(routesMap map[route.ID]*route.Route) error { m.routes[id] = newRoute } - if len(m.routes) > 0 { - if err := m.firewall.EnableRouting(); err != nil { - return fmt.Errorf("enable routing: %w", err) - } - } else { - if err := m.firewall.DisableRouting(); err != nil { - return fmt.Errorf("disable routing: %w", err) - } - } - return nil }