extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-06-26 04:31:56 +02:00
Code Issues Packages Projects Releases Wiki Activity

Block wg net forwarded traffic

Browse Source
This commit is contained in:
Viktor Liu 2025-01-10 19:33:57 +01:00
parent 01957a305d
commit af46f259ac
3 changed files with 33 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
client/firewall/uspfilter/forwarder/forwarder.go
View File

@ -64,12 +64,12 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, netstack bool) (*Forwar
return nil, fmt.Errorf("failed to create NIC: %v", err) return nil, fmt.Errorf("failed to create NIC: %v", err)
} }
_, bits := iface.Address().Network.Mask.Size() ones, _ := iface.Address().Network.Mask.Size()
protoAddr := tcpip.ProtocolAddress{ protoAddr := tcpip.ProtocolAddress{
Protocol: ipv4.ProtocolNumber, Protocol: ipv4.ProtocolNumber,
AddressWithPrefix: tcpip.AddressWithPrefix{ AddressWithPrefix: tcpip.AddressWithPrefix{
Address: tcpip.AddrFromSlice(iface.Address().IP.To4()), Address: tcpip.AddrFromSlice(iface.Address().IP.To4()),
PrefixLen: bits, PrefixLen: ones,
}, },
} }

2
client/firewall/uspfilter/localip.go
View File

@ -13,7 +13,7 @@ import (
type localIPManager struct { type localIPManager struct {
mu sync.RWMutex mu sync.RWMutex
// Use bitmap for IPv4 (32 bits * 2^16 = 8KB memory) // Use bitmap for IPv4 (32 bits * 2^16 = 256KB memory)
ipv4Bitmap [1 << 16]uint32 ipv4Bitmap [1 << 16]uint32
} }

30
client/firewall/uspfilter/uspfilter.go
View File

@ -144,12 +144,42 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
m.determineRouting(iface, disableServerRoutes) m.determineRouting(iface, disableServerRoutes)
if err := m.blockInvalidRouted(iface); err != nil {
log.Errorf("failed to block invalid routed traffic: %v", err)
}
if err := iface.SetFilter(m); err != nil { if err := iface.SetFilter(m); err != nil {
return nil, fmt.Errorf("set filter: %w", err) return nil, fmt.Errorf("set filter: %w", err)
} }
return m, nil return m, nil
} }
func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) error {
if m.forwarder == nil {
return nil
}
wgPrefix, err := netip.ParsePrefix(iface.Address().Network.String())
if err != nil {
return fmt.Errorf("parse wireguard network: %w", err)
}
log.Debugf("blocking invalid routed traffic for %s", wgPrefix)
if _, err := m.AddRouteFiltering(
[]netip.Prefix{netip.PrefixFrom(netip.IPv4Unspecified(), 0)},
wgPrefix,
firewall.ProtocolALL,
nil,
nil,
firewall.ActionDrop,
); err != nil {
return fmt.Errorf("block wg nte : %w", err)
}
// TODO: Block networks that we're a client of
return nil
}
func (m *Manager) determineRouting(iface common.IFaceMapper, disableServerRoutes bool) { func (m *Manager) determineRouting(iface common.IFaceMapper, disableServerRoutes bool) {
disableUspRouting, _ := strconv.ParseBool(os.Getenv(EnvDisableUserspaceRouting)) disableUspRouting, _ := strconv.ParseBool(os.Getenv(EnvDisableUserspaceRouting))
forceUserspaceRouter, _ := strconv.ParseBool(os.Getenv(EnvForceUserspaceRouter)) forceUserspaceRouter, _ := strconv.ParseBool(os.Getenv(EnvForceUserspaceRouter))