* Prevent deletion of groups linked to routes access control groups
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Prevent deletion of groups linked to network resource
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
- Add stateful firewall functionality for UDP/TCP/ICMP in userspace firewalll
- Removes all egress drop rules/filters, still needs refactoring so we don't add output rules to any chains/filters.
- on Linux, if the OUTPUT policy is DROP then we don't do anything about it (no extra allow rules). This is up to the user, if they don't want anything leaving their machine they'll have to manage these rules explicitly.
Adds the following to the debug bundle:
- iptables: `iptables-save`, `iptables -v -n -L`
- nftables: `nft list ruleset` or if not available formatted output from netlink (WIP)
* Remove duplicate resource routes when routing peer is part of the source group
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
* Add tests
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
When I remove 80 http port in Caddyfile, netbird client cannot connect server:443. Logs show error below:
{"level":"debug","ts":1733809631.4012625,"logger":"http.stdlib","msg":"http: TLS handshake error from redacted:41580: tls: client requested unsupported application protocols ([h2])"}
I wonder here h2 protocol is absent.
* Account different policies rules for routes firewall rules
This change ensures that route firewall rules will consider source group peers in the rules generation for access control policies.
This fixes the behavior where multiple policies with different levels of access was being applied to all peers in a distribution group
* split function
* avoid unnecessary allocation
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com>
---------
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com>
Some users face issues with their IdP due to signing key not being refreshed
With this change we advise users to configure key refresh
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* removing leftover
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Code cleaning around the util/net package. The goal was to write a more understandable source code but modify nothing on the logic.
Protect the WireGuard UDP listeners with marks.
The implementation can support the VPN permission revocation events in thread safe way. It will be important if we start to support the running time route and DNS update features.
- uniformize the file name convention: [struct_name] _ [functions] _ [os].go
- code cleaning in net_linux.go
- move env variables to env.go file
