[client] Fix missing inbound flows in Linux userspace mode with native router (#3624)

* Fix missing inbound flows in Linux userspace mode with native router

* Fix route enable/disable order for userspace mode

client/firewall/uspfilter/uspfilter.go

@@ -678,7 +678,7 @@ func (m *Manager) dropFilter(packetData []byte, size int) bool {
 		return m.handleLocalTraffic(d, srcIP, dstIP, packetData, size)
 	}
 
-	return m.handleRoutedTraffic(d, srcIP, dstIP, packetData)
+	return m.handleRoutedTraffic(d, srcIP, dstIP, packetData, size)
 }
 
 // handleLocalTraffic handles local traffic.
@@ -739,7 +739,7 @@ func (m *Manager) handleNetstackLocalTraffic(packetData []byte) bool {
 
 // handleRoutedTraffic handles routed traffic.
 // If it returns true, the packet should be dropped.
-func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte) bool {
+func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
 	// Drop if routing is disabled
 	if !m.routingEnabled.Load() {
 		m.logger.Trace("Dropping routed packet (routing disabled): src=%s dst=%s",
@@ -749,6 +749,7 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 
 	// Pass to native stack if native router is enabled or forced
 	if m.nativeRouter.Load() {
+		m.trackInbound(d, srcIP, dstIP, nil, size)
 		return false
 	}
 
@@ -770,6 +771,8 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 			SourcePort: srcPort,
 			DestPort:   dstPort,
 			// TODO: icmp type/code
+			RxPackets: 1,
+			RxBytes:   uint64(size),
 		})
 		return true
 	}

client/internal/engine.go

@@ -952,11 +952,6 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		return nil
 	}
 
-	// Apply ACLs in the beginning to avoid security leaks
-	if e.acl != nil {
-		e.acl.ApplyFiltering(networkMap)
-	}
-
 	if e.firewall != nil {
 		if localipfw, ok := e.firewall.(localIpUpdater); ok {
 			if err := localipfw.UpdateLocalIPs(); err != nil {
@@ -975,6 +970,11 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update clientRoutes, err: %v", err)
 	}
 
+	// acls might need routing to be enabled, so we apply after routes
+	if e.acl != nil {
+		e.acl.ApplyFiltering(networkMap)
+	}
+
 	// Ingress forward rules
 	if err := e.updateForwardRules(networkMap.GetForwardingRules()); err != nil {
 		log.Errorf("failed to update forward rules, err: %v", err)

client/internal/routemanager/server_nonandroid.go

@@ -55,6 +55,18 @@ func (m *serverRouter) updateRoutes(routesMap map[route.ID]*route.Route) error {
 		delete(m.routes, routeID)
 	}
 
+	// If routing is to be disabled, do it after routes have been removed
+	// If routing is to be enabled, do it before adding new routes; addToServerNetwork needs routing to be enabled
+	if len(routesMap) > 0 {
+		if err := m.firewall.EnableRouting(); err != nil {
+			return fmt.Errorf("enable routing: %w", err)
+		}
+	} else {
+		if err := m.firewall.DisableRouting(); err != nil {
+			return fmt.Errorf("disable routing: %w", err)
+		}
+	}
+
 	for id, newRoute := range routesMap {
 		_, found := m.routes[id]
 		if found {
@@ -69,16 +81,6 @@ func (m *serverRouter) updateRoutes(routesMap map[route.ID]*route.Route) error {
 		m.routes[id] = newRoute
 	}
 
-	if len(m.routes) > 0 {
-		if err := m.firewall.EnableRouting(); err != nil {
-			return fmt.Errorf("enable routing: %w", err)
-		}
-	} else {
-		if err := m.firewall.DisableRouting(); err != nil {
-			return fmt.Errorf("disable routing: %w", err)
-		}
-	}
-
 	return nil
 }