[client] Allow inbound rosenpass port (#3109)

2025-06-20 09:47:49 +02:00 · 2024-12-31 14:08:48 +01:00 · 2024-12-31 14:08:48 +01:00 · abbdf20f65
commit abbdf20f65
parent 43ef64cf67
3 changed files with 40 additions and 9 deletions
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@ -197,7 +197,7 @@ func (m *Manager) AllowNetbird() error {
 	}

 	_, err := m.AddPeerFiltering(
-		net.ParseIP("0.0.0.0"),
+		net.IP{0, 0, 0, 0},
 		"all",
 		nil,
 		nil,
--- a/client/internal/dnsfwd/manager.go
+++ b/client/internal/dnsfwd/manager.go
@ -83,7 +83,7 @@ func (h *Manager) allowDNSFirewall() error {
 		IsRange: false,
 		Values:  []int{ListenPort},
 	}
-	dnsRules, err := h.firewall.AddPeerFiltering(net.ParseIP("0.0.0.0"), firewall.ProtocolUDP, nil, dport, firewall.RuleDirectionIN, firewall.ActionAccept, "", "")
+	dnsRules, err := h.firewall.AddPeerFiltering(net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.RuleDirectionIN, firewall.ActionAccept, "", "")
 	if err != nil {
 		log.Errorf("failed to add allow DNS router rules, err: %v", err)
 		return err
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@ -406,13 +406,9 @@ func (e *Engine) Start() error {
 	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager)
 	if err != nil {
 		log.Errorf("failed creating firewall manager: %s", err)
-	}
-
-	if e.firewall != nil && e.firewall.IsServerRouteSupported() {
-		err = e.routeManager.EnableServerRouter(e.firewall)
-		if err != nil {
-			e.close()
-			return fmt.Errorf("enable server router: %w", err)
+	} else if e.firewall != nil {
+		if err := e.initFirewall(err); err != nil {
+			return err
 		}
 	}

@ -455,6 +451,41 @@ func (e *Engine) Start() error {
 	return nil
 }

+func (e *Engine) initFirewall(error) error {
+	if e.firewall.IsServerRouteSupported() {
+		if err := e.routeManager.EnableServerRouter(e.firewall); err != nil {
+			e.close()
+			return fmt.Errorf("enable server router: %w", err)
+		}
+	}
+
+	if e.rpManager == nil || !e.config.RosenpassEnabled {
+		return nil
+	}
+
+	rosenpassPort := e.rpManager.GetAddress().Port
+	port := manager.Port{Values: []int{rosenpassPort}}
+
+	// this rule is static and will be torn down on engine down by the firewall manager
+	if _, err := e.firewall.AddPeerFiltering(
+		net.IP{0, 0, 0, 0},
+		manager.ProtocolUDP,
+		nil,
+		&port,
+		manager.RuleDirectionIN,
+		manager.ActionAccept,
+		"",
+		"",
+	); err != nil {
+		log.Errorf("failed to allow rosenpass interface traffic: %v", err)
+		return nil
+	}
+
+	log.Infof("rosenpass interface traffic allowed on port %d", rosenpassPort)
+
+	return nil
+}
+
 // modifyPeers updates peers that have been modified (e.g. IP address has been changed).
 // It closes the existing connection, removes it from the peerConns map, and creates a new one.
 func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {