Fix routes allow acl rule (#940)

Modify rules in iptables and nftables to accept all traffic not from netbird network but routed through it.
2025-08-16 10:08:12 +02:00 · 2023-06-07 17:24:27 +04:00
parent 93608ae163
commit ef59001459
9 changed files with 245 additions and 39 deletions
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@ -13,11 +13,47 @@ import (
 	"golang.org/x/sys/unix"

 	fw "github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/iface"
 )

+// iFaceMapper defines subset methods of interface required for manager
+type iFaceMock struct {
+	NameFunc    func() string
+	AddressFunc func() iface.WGAddress
+}
+
+func (i *iFaceMock) Name() string {
+	if i.NameFunc != nil {
+		return i.NameFunc()
+	}
+	panic("NameFunc is not set")
+}
+
+func (i *iFaceMock) Address() iface.WGAddress {
+	if i.AddressFunc != nil {
+		return i.AddressFunc()
+	}
+	panic("AddressFunc is not set")
+}
+
 func TestNftablesManager(t *testing.T) {
+	mock := &iFaceMock{
+		NameFunc: func() string {
+			return "lo"
+		},
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
+			}
+		},
+	}
+
 	// just check on the local interface
-	manager, err := Create("lo")
+	manager, err := Create(mock)
 	require.NoError(t, err)
 	time.Sleep(time.Second)

@ -44,8 +80,11 @@ func TestNftablesManager(t *testing.T) {

 	rules, err := testClient.GetRules(manager.tableIPv4, manager.filterInputChainIPv4)
 	require.NoError(t, err, "failed to get rules")
-	// 1 regular rule and other "drop all rule" for the interface
-	require.Len(t, rules, 2, "expected 1 rule")
+	// test expectations:
+	// 1) regular rule
+	// 2) "accept extra routed traffic rule" for the interface
+	// 3) "drop all rule" for the interface
+	require.Len(t, rules, 3, "expected 3 rules")

 	ipToAdd, _ := netip.AddrFromSlice(ip)
 	add := ipToAdd.Unmap()
@ -98,17 +137,35 @@ func TestNftablesManager(t *testing.T) {

 	rules, err = testClient.GetRules(manager.tableIPv4, manager.filterInputChainIPv4)
 	require.NoError(t, err, "failed to get rules")
-	require.Len(t, rules, 1, "expected 1 rules after deleteion")
+	// test expectations:
+	// 1) "accept extra routed traffic rule" for the interface
+	// 2) "drop all rule" for the interface
+	require.Len(t, rules, 2, "expected 2 rules after deleteion")

 	err = manager.Reset()
 	require.NoError(t, err, "failed to reset")
 }

 func TestNFtablesCreatePerformance(t *testing.T) {
+	mock := &iFaceMock{
+		NameFunc: func() string {
+			return "lo"
+		},
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
+			}
+		},
+	}
+
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create("lo")
+			manager, err := Create(mock)
 			require.NoError(t, err)
 			time.Sleep(time.Second)