extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-01-07 22:49:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,791 Commits 152 Branches 201 Tags 196 MiB
feature/apply-posture-netmap
Commit Graph

1791 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
bcmmbaga
feb8e90ae1
Evaluate all applied posture checks on source peers only 
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
 2024-12-27 23:28:34 +03:00
bcmmbaga
076d6d8a87
Evaluate all applied posture checks once 
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
 2024-12-27 22:12:47 +03:00
bcmmbaga
c8c25221bd
Apply policy posture checks on peer 
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
 2024-12-27 21:49:28 +03:00
Pascal Fischer
fbce8bb511
[management] remove ids from policy creation api (#2997) 2024-12-27 14:13:36 +01:00
Bethuel Mmbaga
445b626dc8
[management] Add missing group usage checks for network resources and routes access control (#3117) 
* Prevent deletion of groups linked to routes access control groups

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>

* Prevent deletion of groups linked to network resource

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>

---------

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
 2024-12-27 14:39:34 +03:00
Viktor Liu
b3c87cb5d1
[client] Fix inbound tracking in userspace firewall (#3111) 
* Don't create state for inbound SYN

* Allow final ack in some cases

* Relax state machine test a little
 2024-12-26 00:51:27 +01:00
Viktor Liu
0dbaddc7be
[client] Don't fail debug if log file is console (#3103) 2024-12-24 15:05:23 +01:00
Viktor Liu
ad9f044aad
[client] Add stateful userspace firewall and remove egress filters (#3093) 
- Add stateful firewall functionality for UDP/TCP/ICMP in userspace firewalll
- Removes all egress drop rules/filters, still needs refactoring so we don't add output rules to any chains/filters.
- on Linux, if the OUTPUT policy is DROP  then we don't do anything about it (no extra allow rules). This is up to the user, if they don't want anything leaving their machine they'll have to manage these rules explicitly.
 2024-12-23 18:22:17 +01:00
Viktor Liu
05930ee6b1
[client] Add firewall rules to the debug bundle (#3089) 
Adds the following to the debug bundle:
- iptables: `iptables-save`, `iptables -v -n -L`
- nftables: `nft list ruleset` or if not available formatted output from netlink (WIP)
 2024-12-23 15:57:15 +01:00
Pascal Fischer
e670068cab
[management] Run test sequential (#3101) 2024-12-23 14:37:09 +01:00
Viktor Liu
b48cf1bf65
[client] Reduce DNS handler chain lock contention (#3099) 2024-12-21 15:56:52 +01:00
Bethuel Mmbaga
7ee7ada273
[management] Fix duplicate resource routes when routing peer is part of the source group (#3095) 
* Remove duplicate resource routes when routing peer is part of the source group

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>

* Add tests

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>

---------

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
 2024-12-20 21:10:53 +03:00
Zoltan Papp
82b4e58ad0
Do not start DNS forwarder on client side (#3094) 2024-12-20 16:20:50 +01:00
Viktor Liu
ddc365f7a0
[client, management] Add new network concept (#3047) 
---------

Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com>
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
 2024-12-20 11:30:28 +01:00
Maycon Santos
37ad370344
[client] Avoid using iota on mixed const block (#3057) 
Used the values as resolved when the first iota value was the second const in the block.
 2024-12-16 18:09:31 +01:00
VYSE V.E.O
703647da1e
fix client unsupported h2 protocol when only 443 activated (#3009) 
When I remove 80 http port in Caddyfile, netbird client cannot connect server:443. Logs show error below:
{"level":"debug","ts":1733809631.4012625,"logger":"http.stdlib","msg":"http: TLS handshake error from redacted:41580: tls: client requested unsupported application protocols ([h2])"}
I wonder here h2 protocol is absent.
 2024-12-16 14:17:46 +01:00
Maycon Santos
9eff58ae62
Upgrade x/crypto package (#3055) 
Mitigates the CVE-2024-45337
 2024-12-16 10:30:41 +01:00
Jesse R Codling
3844516aa7
[client] fix: reformat IPv6 ICE addresses when punching (#3050) 
Should fix #2327 and #2606 by checking for IPv6 addresses from ICE
 2024-12-16 09:58:54 +01:00
M. Essam
f591e47404
Handle DNF5 install script (#3026) 2024-12-16 09:41:36 +01:00
Maycon Santos
287ae81195
[misc] split tests with management and rest (#3051) 
optimize go cache for tests
 2024-12-14 21:18:46 +01:00
M. Essam
a4a30744ad
Fix race condition with systray ready (#2993) 2024-12-14 12:17:53 -08:00
Maycon Santos
dcba6a6b7e
fix: client/Dockerfile to reduce vulnerabilities (#3019) 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201
- https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
 2024-12-11 16:46:51 +01:00
Pascal Fischer
6142828a9c
[management] restructure api files (#3013) 2024-12-10 15:59:25 +01:00
Bethuel Mmbaga
97bb74f824
Remove peer login log (#3005) 
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
 2024-12-09 18:40:06 +01:00
Maycon Santos
2147bf75eb
[client] Add peer conn init limit (#3001) 
Limit the peer connection initialization to 200 peers at the same time
 2024-12-09 17:10:31 +01:00
Pascal Fischer
e40a29ba17
[client] Add support for state manager on iOS (#2996) 2024-12-06 16:51:42 +01:00
Edouard Vanbelle
ff330e644e
upgrade zcalusic/sysinfo@v1.1.3 (add serial for ARM arch) (#2954) 
Signed-off-by: Edouard Vanbelle <edouard.vanbelle@shadow.tech>
 2024-12-05 15:38:00 +01:00
M. Essam
713e320c4c
Update account peers on login on meta change (#2991) 
* Update account peers on login on meta change

* Factor out LoginPeer peer not found handling
 2024-12-05 14:15:23 +01:00
Maycon Santos
e67fe89adb
Reduce max wait time to initialize peer connections (#2984) 
* Reduce max wait time to initialize peer connections

setting rand time range to 100-300ms instead of 100-800ms

* remove min wait time
 2024-12-05 13:03:11 +01:00
Viktor Liu
6cfbb1f320
[client] Init route selector early (#2989) 2024-12-05 12:41:12 +01:00
Viktor Liu
c853011a32
[client] Don't return error in rule removal if protocol is not supported (#2990) 2024-12-05 12:28:35 +01:00
Maycon Santos
b50b89ba14
[client] Cleanup status resources on engine stop (#2981) 
cleanup leftovers from status recorder when stopping the engine
 2024-12-04 14:09:04 +01:00
Pascal Fischer
d063fbb8b9
[management] merge update account peers in sync call (#2978) 2024-12-03 16:41:19 +01:00
Viktor Liu
e5d42bc963
[client] Add state handling cmdline options (#2821) 2024-12-03 16:07:18 +01:00
Viktor Liu
8866394eb6
[client] Don't choke on non-existent interface in route updates (#2922) 2024-12-03 15:33:41 +01:00
Viktor Liu
17c20b45ce
[client] Add network map to debug bundle (#2966) 2024-12-03 14:50:12 +01:00
Joakim Nohlgård
7dacd9cb23
[management] Add missing parentheses on iphone hostname generation condition (#2977) 2024-12-03 13:49:02 +01:00
Viktor Liu
6285e0d23e
[client] Add netbird.err and netbird.out to debug bundle (#2971) 2024-12-03 12:43:17 +01:00
Maycon Santos
a4826cfb5f
[client] Get static system info once (#2965) 
Get static system info once for Windows, Darwin, and Linux nodes

This should improve startup and peer authentication times
 2024-12-03 10:22:04 +01:00
Zoltan Papp
a0bf0bdcc0
Pass IP instead of net to Rosenpass (#2975) 2024-12-03 10:13:27 +01:00
Viktor Liu
dffce78a8c
[client] Fix debug bundle state anonymization test (#2976) 2024-12-02 20:19:34 +01:00
Viktor Liu
c7e7ad5030
[client] Add state file to debug bundle (#2969) 2024-12-02 18:04:02 +01:00
Viktor Liu
5142dc52c1
[client] Persist route selection (#2810) 2024-12-02 17:55:02 +01:00
Zoltan Papp
ecb44ff306
[client] Add pprof build tag (#2964) 
* Add pprof build tag

* Change env handling
 2024-12-01 19:22:52 +01:00
victorserbu2709
e4a5fb3e91
Unspecified address: default NetworkTypeUDP4+NetworkTypeUDP6 (#2804) 2024-11-30 10:34:52 +01:00
v1rusnl
e52d352a48
Update Caddyfile and Docker Compose to support HTTP3 (#2822) 2024-11-30 10:26:31 +01:00
Maycon Santos
f9723c9266
[client] Account different policiy rules for routes firewall rules (#2939) 
* Account different policies rules for routes firewall rules

This change ensures that route firewall rules will consider source group peers in the rules generation for access control policies.

This fixes the behavior where multiple policies with different levels of access was being applied to all peers in a distribution group

* split function

* avoid unnecessary allocation

Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com>

---------

Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com>
 2024-11-29 17:50:35 +01:00
Maycon Santos
8efad1d170
Add guide when signing key is not found (#2942) 
Some users face issues with their IdP due to signing key not being refreshed

With this change we advise users to configure key refresh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* removing leftover

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2024-11-29 10:06:40 +01:00
Pascal Fischer
c6641be94b
[tests] Enable benchmark tests on github actions (#2961) 2024-11-28 19:22:01 +01:00
Pascal Fischer
89cf8a55e2
[management] Add performance test for login and sync calls (#2960) 2024-11-28 14:59:53 +01:00