[client] Add stateful userspace firewall and remove egress filters (#3093)

- Add stateful firewall functionality for UDP/TCP/ICMP in userspace firewalll - Removes all egress drop rules/filters, still needs refactoring so we don't add output rules to any chains/filters. - on Linux, if the OUTPUT policy is DROP then we don't do anything about it (no extra allow rules). This is up to the user, if they don't want anything leaving their machine they'll have to manage these rules explicitly.
2025-08-15 01:32:56 +02:00 · 2024-12-23 18:22:17 +01:00
parent 05930ee6b1
commit ad9f044aad
16 changed files with 3104 additions and 120 deletions
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@ -207,19 +207,9 @@ func (m *Manager) AllowNetbird() error {
 		"",
 	)
 	if err != nil {
-		return fmt.Errorf("failed to allow netbird interface traffic: %w", err)
+		return fmt.Errorf("allow netbird interface traffic: %w", err)
 	}
-	_, err = m.AddPeerFiltering(
-		net.ParseIP("0.0.0.0"),
-		"all",
-		nil,
-		nil,
-		firewall.RuleDirectionOUT,
-		firewall.ActionAccept,
-		"",
-		"",
-	)
-	return err
+	return nil
 }

 // Flush doesn't need to be implemented for this manager