[client] Mark redirected traffic early to match input filters on pre-DNAT ports (#3205)

2025-08-09 07:15:15 +02:00 · 2025-01-23 18:00:51 +01:00
parent 790a9ed7df
commit eb2ac039c7
4 changed files with 145 additions and 87 deletions
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@ -3,6 +3,7 @@ package iptables
 import (
 	"fmt"
 	"net"
+	"slices"
 	"strconv"

 	"github.com/coreos/go-iptables/iptables"
@ -99,6 +100,16 @@ func (m *aclManager) AddPeerFiltering(

 	ipsetName = transformIPsetName(ipsetName, sPortVal, dPortVal)
 	specs := filterRuleSpecs(ip, string(protocol), sPortVal, dPortVal, action, ipsetName)
+
+	mangleSpecs := slices.Clone(specs)
+	mangleSpecs = append(mangleSpecs,
+		"-i", m.wgIface.Name(),
+		"-m", "addrtype", "--dst-type", "LOCAL",
+		"-j", "MARK", "--set-xmark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
+	)
+
+	specs = append(specs, "-j", actionToStr(action))
+
 	if ipsetName != "" {
 		if ipList, ipsetExists := m.ipsetStore.ipset(ipsetName); ipsetExists {
 			if err := ipset.Add(ipsetName, ip.String()); err != nil {
@ -130,7 +141,7 @@ func (m *aclManager) AddPeerFiltering(
 		m.ipsetStore.addIpList(ipsetName, ipList)
 	}

-	ok, err := m.iptablesClient.Exists("filter", chain, specs...)
+	ok, err := m.iptablesClient.Exists(tableFilter, chain, specs...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check rule: %w", err)
 	}
@ -138,16 +149,22 @@ func (m *aclManager) AddPeerFiltering(
 		return nil, fmt.Errorf("rule already exists")
 	}

-	if err := m.iptablesClient.Append("filter", chain, specs...); err != nil {
+	if err := m.iptablesClient.Append(tableFilter, chain, specs...); err != nil {
 		return nil, err
 	}

+	if err := m.iptablesClient.Append(tableMangle, chainRTPRE, mangleSpecs...); err != nil {
+		log.Errorf("failed to add mangle rule: %v", err)
+		mangleSpecs = nil
+	}
+
 	rule := &Rule{
-		ruleID:    uuid.New().String(),
-		specs:     specs,
-		ipsetName: ipsetName,
-		ip:        ip.String(),
-		chain:     chain,
+		ruleID:      uuid.New().String(),
+		specs:       specs,
+		mangleSpecs: mangleSpecs,
+		ipsetName:   ipsetName,
+		ip:          ip.String(),
+		chain:       chain,
 	}

 	m.updateState()
@ -190,6 +207,12 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("failed to delete rule: %s, %v: %w", r.chain, r.specs, err)
 	}

+	if r.mangleSpecs != nil {
+		if err := m.iptablesClient.Delete(tableMangle, chainRTPRE, r.mangleSpecs...); err != nil {
+			log.Errorf("failed to delete mangle rule: %v", err)
+		}
+	}
+
 	m.updateState()

 	return nil
@ -310,17 +333,10 @@ func (m *aclManager) seedInitialEntries() {
 func (m *aclManager) seedInitialOptionalEntries() {
 	m.optionalEntries["FORWARD"] = []entry{
 		{
-			spec:     []string{"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected), "-j", chainNameInputRules},
+			spec:     []string{"-m", "mark", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected), "-j", "ACCEPT"},
 			position: 2,
 		},
 	}
-
-	m.optionalEntries["PREROUTING"] = []entry{
-		{
-			spec:     []string{"-t", "mangle", "-i", m.wgIface.Name(), "-m", "addrtype", "--dst-type", "LOCAL", "-j", "MARK", "--set-mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected)},
-			position: 1,
-		},
-	}
 }

 func (m *aclManager) appendToEntries(chainName string, spec []string) {
@ -377,7 +393,7 @@ func filterRuleSpecs(ip net.IP, protocol, sPort, dPort string, action firewall.A
 	if dPort != "" {
 		specs = append(specs, "--dport", dPort)
 	}
-	return append(specs, "-j", actionToStr(action))
+	return specs
 }

 func actionToStr(action firewall.Action) string {