extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-06-19 17:31:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

[client] Exclude loopback from NAT (#2747)

Browse Source
This commit is contained in:
Viktor Liu 2024-10-16 17:35:59 +02:00 committed by GitHub
parent cee95461d1
commit 8c8900be57
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 30 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
client/firewall/iptables/router_linux.go
View File

@ -433,10 +433,12 @@ func (r *router) removeNatRule(pair firewall.RouterPair) error {
func genRuleSpec(jump string, source, destination netip.Prefix, intf string, inverse bool) []string { func genRuleSpec(jump string, source, destination netip.Prefix, intf string, inverse bool) []string {
intdir := "-i" intdir := "-i"
lointdir := "-o"
if inverse { if inverse {
intdir = "-o" intdir = "-o"
lointdir = "-i"
} }
return []string{intdir, intf, "-s", source.String(), "-d", destination.String(), "-j", jump} return []string{intdir, intf, "!", lointdir, "lo", "-s", source.String(), "-d", destination.String(), "-j", jump}
} }
func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string { func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {

15
client/firewall/nftables/router_linux.go
View File

@ -425,11 +425,15 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
destExp := generateCIDRMatcherExpressions(false, pair.Destination) destExp := generateCIDRMatcherExpressions(false, pair.Destination)
dir := expr.MetaKeyIIFNAME dir := expr.MetaKeyIIFNAME
notDir := expr.MetaKeyOIFNAME
if pair.Inverse { if pair.Inverse {
dir = expr.MetaKeyOIFNAME dir = expr.MetaKeyOIFNAME
notDir = expr.MetaKeyIIFNAME
} }
lo := ifname("lo")
intf := ifname(r.wgIface.Name()) intf := ifname(r.wgIface.Name())
exprs := []expr.Any{ exprs := []expr.Any{
&expr.Meta{ &expr.Meta{
Key: dir, Key: dir,
@ -440,6 +444,17 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
Register: 1, Register: 1,
Data: intf, Data: intf,
}, },
// We need to exclude the loopback interface as this changes the ebpf proxy port
&expr.Meta{
Key: notDir,
Register: 1,
},
&expr.Cmp{
Op: expr.CmpOpNeq,
Register: 1,
Data: lo,
},
} }
exprs = append(exprs, sourceExp...) exprs = append(exprs, sourceExp...)

12
client/firewall/nftables/router_linux_test.go
View File

@ -69,6 +69,12 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
Register: 1, Register: 1,
Data: ifname(ifaceMock.Name()), Data: ifname(ifaceMock.Name()),
}, },
&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
&expr.Cmp{
Op: expr.CmpOpNeq,
Register: 1,
Data: ifname("lo"),
},
) )
natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair) natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
@ -97,6 +103,12 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
Register: 1, Register: 1,
Data: ifname(ifaceMock.Name()), Data: ifname(ifaceMock.Name()),
}, },
&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
&expr.Cmp{
Op: expr.CmpOpNeq,
Register: 1,
Data: ifname("lo"),
},
) )
inNatRuleKey := firewall.GenKey(firewall.NatFormat, firewall.GetInversePair(testCase.InputPair)) inNatRuleKey := firewall.GenKey(firewall.NatFormat, firewall.GetInversePair(testCase.InputPair))