extern/netbird
1
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2025-03-13 06:08:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,890 Commits 161 Branches 213 Tags 207 MiB
335866ac60
Commit Graph

702 Commits

Author SHA1 Message Date
Viktor Liu
d9905d1a57
[client] Add disable system flags (#3153) 2025-01-07 20:38:18 +01:00
Viktor Liu
6848e1e128
[client] Add rootless container and fix client routes in netstack mode (#3150) 2025-01-06 14:16:31 +01:00
Viktor Liu
f08605a7f1
[client] Enable network map persistence by default (#3152) 2025-01-06 14:11:43 +01:00
Viktor Liu
abbdf20f65
[client] Allow inbound rosenpass port (#3109) 2024-12-31 14:08:48 +01:00
Viktor Liu
43ef64cf67
[client] Ignore case when matching domains in handler chain (#3133) 2024-12-31 14:07:21 +01:00
Viktor Liu
b3c87cb5d1
[client] Fix inbound tracking in userspace firewall (#3111) 
* Don't create state for inbound SYN

* Allow final ack in some cases

* Relax state machine test a little
 2024-12-26 00:51:27 +01:00
Viktor Liu
0dbaddc7be
[client] Don't fail debug if log file is console (#3103) 2024-12-24 15:05:23 +01:00
Viktor Liu
ad9f044aad
[client] Add stateful userspace firewall and remove egress filters (#3093) 
- Add stateful firewall functionality for UDP/TCP/ICMP in userspace firewalll
- Removes all egress drop rules/filters, still needs refactoring so we don't add output rules to any chains/filters.
- on Linux, if the OUTPUT policy is DROP  then we don't do anything about it (no extra allow rules). This is up to the user, if they don't want anything leaving their machine they'll have to manage these rules explicitly.
 2024-12-23 18:22:17 +01:00
Viktor Liu
05930ee6b1
[client] Add firewall rules to the debug bundle (#3089) 
Adds the following to the debug bundle:
- iptables: `iptables-save`, `iptables -v -n -L`
- nftables: `nft list ruleset` or if not available formatted output from netlink (WIP)
 2024-12-23 15:57:15 +01:00
Viktor Liu
b48cf1bf65
[client] Reduce DNS handler chain lock contention (#3099) 2024-12-21 15:56:52 +01:00
Zoltan Papp
82b4e58ad0
Do not start DNS forwarder on client side (#3094) 2024-12-20 16:20:50 +01:00
Viktor Liu
ddc365f7a0
[client, management] Add new network concept (#3047) 
---------

Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com>
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com>
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
 2024-12-20 11:30:28 +01:00
Maycon Santos
37ad370344
[client] Avoid using iota on mixed const block (#3057) 
Used the values as resolved when the first iota value was the second const in the block.
 2024-12-16 18:09:31 +01:00
Jesse R Codling
3844516aa7
[client] fix: reformat IPv6 ICE addresses when punching (#3050) 
Should fix #2327 and #2606 by checking for IPv6 addresses from ICE
 2024-12-16 09:58:54 +01:00
M. Essam
a4a30744ad
Fix race condition with systray ready (#2993) 2024-12-14 12:17:53 -08:00
Maycon Santos
dcba6a6b7e
fix: client/Dockerfile to reduce vulnerabilities (#3019) 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201
- https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
 2024-12-11 16:46:51 +01:00
Maycon Santos
2147bf75eb
[client] Add peer conn init limit (#3001) 
Limit the peer connection initialization to 200 peers at the same time
 2024-12-09 17:10:31 +01:00
Pascal Fischer
e40a29ba17
[client] Add support for state manager on iOS (#2996) 2024-12-06 16:51:42 +01:00
Maycon Santos
e67fe89adb
Reduce max wait time to initialize peer connections (#2984) 
* Reduce max wait time to initialize peer connections

setting rand time range to 100-300ms instead of 100-800ms

* remove min wait time
 2024-12-05 13:03:11 +01:00
Viktor Liu
6cfbb1f320
[client] Init route selector early (#2989) 2024-12-05 12:41:12 +01:00
Viktor Liu
c853011a32
[client] Don't return error in rule removal if protocol is not supported (#2990) 2024-12-05 12:28:35 +01:00
Maycon Santos
b50b89ba14
[client] Cleanup status resources on engine stop (#2981) 
cleanup leftovers from status recorder when stopping the engine
 2024-12-04 14:09:04 +01:00
Viktor Liu
e5d42bc963
[client] Add state handling cmdline options (#2821) 2024-12-03 16:07:18 +01:00
Viktor Liu
8866394eb6
[client] Don't choke on non-existent interface in route updates (#2922) 2024-12-03 15:33:41 +01:00
Viktor Liu
17c20b45ce
[client] Add network map to debug bundle (#2966) 2024-12-03 14:50:12 +01:00
Viktor Liu
6285e0d23e
[client] Add netbird.err and netbird.out to debug bundle (#2971) 2024-12-03 12:43:17 +01:00
Maycon Santos
a4826cfb5f
[client] Get static system info once (#2965) 
Get static system info once for Windows, Darwin, and Linux nodes

This should improve startup and peer authentication times
 2024-12-03 10:22:04 +01:00
Zoltan Papp
a0bf0bdcc0
Pass IP instead of net to Rosenpass (#2975) 2024-12-03 10:13:27 +01:00
Viktor Liu
dffce78a8c
[client] Fix debug bundle state anonymization test (#2976) 2024-12-02 20:19:34 +01:00
Viktor Liu
c7e7ad5030
[client] Add state file to debug bundle (#2969) 2024-12-02 18:04:02 +01:00
Viktor Liu
5142dc52c1
[client] Persist route selection (#2810) 2024-12-02 17:55:02 +01:00
Zoltan Papp
ecb44ff306
[client] Add pprof build tag (#2964) 
* Add pprof build tag

* Change env handling
 2024-12-01 19:22:52 +01:00
victorserbu2709
e4a5fb3e91
Unspecified address: default NetworkTypeUDP4+NetworkTypeUDP6 (#2804) 2024-11-30 10:34:52 +01:00
Zoltan Papp
9203690033
[client] Code cleaning in net pkg and fix exit node feature on Android(#2932) 
Code cleaning around the util/net package. The goal was to write a more understandable source code but modify nothing on the logic.
Protect the WireGuard UDP listeners with marks.
The implementation can support the VPN permission revocation events in thread safe way. It will be important if we start to support the running time route and DNS update features.

- uniformize the file name convention: [struct_name] _ [functions] _ [os].go
- code cleaning in net_linux.go
- move env variables to env.go file
 2024-11-26 23:34:27 +01:00
Viktor Liu
9810386937
[client] Allow routing to fallback to exclusion routes if rules are not supported (#2909) 2024-11-25 15:19:56 +01:00
Viktor Liu
f1625b32bd
[client] Set up sysctl and routing table name only if routing rules are available (#2933) 2024-11-25 15:12:16 +01:00
Viktor Liu
0ecd5f2118
[client] Test nftables for incompatible iptables rules (#2948) 2024-11-25 15:11:56 +01:00
Viktor Liu
940d0c48c6
[client] Don't return error in userspace mode without firewall (#2924) 2024-11-25 15:11:31 +01:00
Zoltan Papp
2a5cb16494
[relay] Refactor initial Relay connection (#2800) 
Can support firewalls with restricted WS rules

allow to run engine without Relay servers
keep up to date Relay address changes
 2024-11-22 18:12:34 +01:00
Viktor Liu
1bbabf70b0
[client] Fix allow netbird rule verdict (#2925) 
* Fix allow netbird rule verdict

* Fix chain name
 2024-11-21 16:53:37 +01:00
Krzysztof Nazarewski (kdn)
eb5d0569ae
[client] Add NB_SKIP_SOCKET_MARK & fix crash instead of returing an error (#2899) 
* dialer: fix crash instead of returning error

* add NB_SKIP_SOCKET_MARK
 2024-11-19 14:14:58 +01:00
Maycon Santos
65a94f695f
use google domain for tests (#2902) 2024-11-18 12:55:02 +01:00
Viktor Liu
a7d5c52203
Fix error state race on mgmt connection error (#2892) 2024-11-15 22:59:49 +01:00
Viktor Liu
582bb58714
Move state updates outside the refcounter (#2897) 2024-11-15 22:55:33 +01:00
Viktor Liu
121dfda915
[client] Fix state manager race conditions (#2890) 2024-11-15 20:05:26 +01:00
Pascal Fischer
4aee3c9e33
[client/management] add peer lock to peer meta update and fix isEqual func (#2840) 2024-11-15 16:59:03 +01:00
Viktor Liu
be78efbd42
[client] Handle panic on nil wg interface (#2891) 2024-11-14 20:15:16 +01:00
Maycon Santos
6886691213
Update route calculation tests (#2884) 
- Add two new test cases for p2p and relay routes with same latency
- Add extra statuses generation
 2024-11-13 15:21:33 +01:00
Viktor Liu
39329e12a1
[client] Improve state write timeout and abort work early on timeout (#2882) 
* Improve state write timeout and abort work early on timeout

* Don't block on initial persist state
 2024-11-13 13:46:00 +01:00
Viktor Liu
e0bed2b0fb
[client] Fix race conditions (#2869) 
* Fix concurrent map access in status

* Fix race when retrieving ctx state error

* Fix race when accessing service controller server instance
 2024-11-11 14:55:10 +01:00
Zoltan Papp
30f025e7dd
[client] fix/proxy close (#2873) 
When the remote peer switches the Relay instance then must to close the proxy connection to the old instance.

It can cause issues when the remote peer switch connects to the Relay instance multiple times and then reconnects to an instance it had previously connected to.
 2024-11-11 14:18:38 +01:00
Zoltan Papp
b4d7605147
[client] Remove loop after route calculation (#2856) 
- ICE do not trigger disconnect callbacks if the stated did not change
- Fix route calculation callback loop
- Move route state updates into protected scope by mutex
- Do not calculate routes in case of peer.Open() and peer.Close()
 2024-11-11 10:53:57 +01:00
Zoltan Papp
4be826450b
[client] Use offload in WireGuard bind receiver (#2815) 
Improve the performance on Linux and Android in case of P2P connections
 2024-11-07 17:28:38 +01:00
Viktor Liu
6829a64a2d
[client] Exclude split default route ip addresses from anonymization (#2853) 2024-11-07 16:29:32 +01:00
Viktor Liu
509e184e10
[client] Use the prerouting chain to mark for masquerading to support older systems (#2808) 2024-11-07 12:37:04 +01:00
Maycon Santos
b952d8693d
Fix cached device flow oauth (#2833) 
This change removes the cached device flow oauth info when a down command is called

Removing the need for the agent to be restarted
 2024-11-05 14:51:17 +01:00
Viktor Liu
5f06b202c3
[client] Log windows panics (#2829) 2024-11-01 15:08:22 +01:00
Zoltan Papp
9812de853b
Allocate new buffer for every package (#2823) 2024-11-01 00:33:25 +01:00
Zoltan Papp
ad4f0a6fdf
[client] Nil check on ICE remote conn (#2806) 2024-10-31 23:18:35 +01:00
Marco Garcês
01f24907c5
[client] Fix multiple peer name filtering in netbird status command (#2798) 2024-10-29 17:49:41 +01:00
pascal-fischer
1e44c5b574
[client] allow relay leader on iOS (#2795) 2024-10-28 16:55:00 +01:00
Viktor Liu
940f8b4547
[client] Remove legacy forwarding rules in userspace mode (#2782) 2024-10-28 12:29:29 +01:00
Viktor Liu
46e37fa04c
[client] Ignore route rules with no sources instead of erroring out (#2786) 2024-10-28 12:28:44 +01:00
Viktor Liu
0fd874fa45
[client] Make native firewall init fail firewall creation (#2784) 2024-10-28 10:02:27 +01:00
Viktor Liu
8016710d24
[client] Cleanup firewall state on startup (#2768) 2024-10-24 14:46:24 +02:00
Zoltan Papp
4e918e55ba
[client] Fix controller re-connection (#2758) 
Rethink the peer reconnection implementation
 2024-10-24 11:43:14 +02:00
Viktor Liu
869537c951
[client] Cleanup dns and route states on startup (#2757) 2024-10-24 10:53:46 +02:00
Zoltan Papp
30ebcf38c7
[client] Eliminate UDP proxy in user-space mode (#2712) 
In the case of user space WireGuard mode, use in-memory proxy between the TURN/Relay connection and the WireGuard Bind. We keep the UDP proxy and eBPF proxy for kernel mode.

The key change is the new wgproxy/bind and the iface/bind/ice_bind changes. Everything else is just to fulfill the dependencies.
 2024-10-22 20:53:14 +02:00
Maycon Santos
507a40bd7f
Fix decompress zip path (#2755) 
Since 0.30.2 the decompressed binary path from the signed package has changed

now it doesn't contain the arch suffix

this change handles that
 2024-10-17 20:39:59 +02:00
Viktor Liu
8c8900be57
[client] Exclude loopback from NAT (#2747) 2024-10-16 17:35:59 +02:00
Maycon Santos
cee95461d1
[client] Add universal bin build and update sign workflow version (#2738) 
* Add universal binaries build for macOS

* update sign pipeline version

* handle info.plist in sign workflow
 2024-10-15 15:03:17 +02:00
Viktor Liu
3a88ac78ff
[client] Add table filter rules using iptables (#2727) 
This specifically concerns the established/related rule since this one is not compatible with iptables-nft even if it is generated the same way by iptables-translate.
 2024-10-12 10:44:48 +02:00
Zoltan Papp
0e95f16cdd
[relay,client] Relay/fix/wg roaming (#2691) 
If a peer connection switches from Relayed to ICE P2P, the Relayed proxy still consumes the data the other peer sends. Because the proxy is operating, the WireGuard switches back to the Relayed proxy automatically, thanks to the roaming feature.

Extend the Proxy implementation with pause/resume functions. Before switching to the p2p connection, pause the WireGuard proxy operation to prevent unnecessary package sources.
Consider waiting some milliseconds after the pause to be sure the WireGuard engine already processed all UDP msg in from the pipe.
 2024-10-11 16:24:30 +02:00
Viktor Liu
09bdd271f1
[client] Improve route acl (#2705) 
- Update nftables library to v0.2.0
- Mark traffic that was originally destined for local and applies the input rules in the forward chain if said traffic was redirected (e.g. by Docker)
- Add nft rules to internal map only if flush was successful
- Improve error message if handle is 0 (= not found or hasn't been refreshed)
- Add debug logging when route rules are added
- Replace nftables userdata (rule ID) with a rule hash
 2024-10-10 15:54:34 +02:00
pascal-fischer
8284ae959c
[management] Move testdata to sql files (#2693) 2024-10-10 12:35:03 +02:00
Viktor Liu
44e8107383
[client] Limit P2P attempts and restart on specific events (#2657) 2024-10-08 11:21:11 +02:00
Carlos Hernandez
f603cd9202
[client] Check wginterface instead of engine ctx (#2676) 
Moving code to ensure wgInterface is gone right after context is
cancelled/stop in the off chance that on next retry the backoff
operation is permanently cancelled and interface is abandoned without
destroying.
 2024-10-04 19:15:16 +02:00
pascal-fischer
158936fb15
[management] Remove file store (#2689) 2024-10-03 15:50:35 +02:00
Zoltan Papp
fd67892cb4
[client] Refactor/iface pkg (#2646) 
Refactor the flat code structure
 2024-10-02 18:24:22 +02:00
Maycon Santos
b7b0828133
[client] Adjust relay worker log level and message (#2683) 2024-10-02 15:14:09 +02:00
Bethuel Mmbaga
ff7863785f
[management, client] Add access control support to network routes (#2100) 2024-10-02 13:41:00 +02:00
Zoltan Papp
ee0ea86a0a
[relay-client] Fix Relay disconnection handling (#2680) 
* Fix Relay disconnection handling

If has an active P2P connection meanwhile the Relay connection broken with the server then we removed the WireGuard peer configuration.

* Change logs
 2024-10-01 16:22:18 +02:00
Zoltan Papp
3dca6099d4
Fix ebpf close function (#2672) 2024-09-30 10:34:57 +02:00
pascal-fischer
52ae693c9e
[signal] add context to signal-dispatcher (#2662) 2024-09-29 00:22:47 +02:00
Zoltan Papp
4ebf6e1c4c
[client] Close the remote conn in proxy (#2626) 
Port the conn close call to eBPF proxy
 2024-09-25 18:50:10 +02:00
Viktor Liu
b51d75204b
[client] Anonymize relay address in status peers view (#2640) 2024-09-24 20:58:18 +02:00
Viktor Liu
e7d52c8c95
[client] Fix error count formatting (#2641) 2024-09-24 20:57:56 +02:00
Viktor Liu
ab82302c95
[client] Remove usage of custom dialer for localhost (#2639) 
* Downgrade error log level for network monitor warnings

* Do not use custom dialer for localhost
 2024-09-24 12:29:15 +02:00
Zoltan Papp
6f0fd1d1b3
- Increase queue size and drop the overflowed messages (#2617) 
- Explicit close the net.Conn in user space wgProxy when close the wgProxy
- Add extra logs
 2024-09-19 13:49:09 +02:00
Zoltan Papp
28cbb4b70f
[client] Cancel the context of wg watcher when the go routine exit (#2612) 2024-09-17 12:10:17 +02:00
Zoltan Papp
1104c9c048
[client] Fix race condition while read/write conn status in peer conn (#2607) 2024-09-17 11:15:14 +02:00
Zoltan Papp
b74951f29e
[client] Enforce permissions on Win (#2568) 
Enforce folder permission on Windows, giving only administrators and system access to the NetBird folder.
 2024-09-16 22:42:37 +02:00
Maycon Santos
fa7767e612
Fix get management and signal state race condition (#2570) 
* Fix get management and signal state race condition

* fix get full status lock
 2024-09-15 16:07:26 +02:00
Carlos Hernandez
1ef51a4ffa
[client] Ensure engine is stopped before starting it back (#2565) 
Before starting a new instance of the engine, check if it is nil and stop the current instance
 2024-09-13 16:46:59 +02:00
Zoltan Papp
ab892b8cf9
Fix wg handshake checking (#2590) 
* Fix wg handshake checking

* Ensure in the initial handshake reading

* Change the handshake period
 2024-09-12 19:18:02 +02:00
Maycon Santos
51e1d3ab8f
fix: client/Dockerfile to reduce vulnerabilities (#2548) 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7895536
- https://snyk.io/vuln/SNYK-ALPINE319-OPENSSL-7895536

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
 2024-09-09 18:44:37 +02:00
benniekiss
12c36312b5
[management] Auto update geolite (#2297) 
introduces helper functions to fetch and verify database versions, downloads new files if outdated, and deletes old ones. It also refactors filename handling to improve clarity and consistency, adding options to disable auto-updating via a flag. The changes aim to simplify GeoLite database management for admins.
 2024-09-09 18:27:42 +02:00
Zoltan Papp
0c039274a4
[relay] Feature/relay integration (#2244) 
This update adds new relay integration for NetBird clients. The new relay is based on web sockets and listens on a single port.

- Adds new relay implementation with websocket with single port relaying mechanism
- refactor peer connection logic, allowing upgrade and downgrade from/to P2P connection
- peer connections are faster since it connects first to relay and then upgrades to P2P
- maintains compatibility with old clients by not using the new relay
- updates infrastructure scripts with new relay service
 2024-09-08 12:06:14 +02:00
pascal-fischer
fcac02a92f
add log (#2546) 2024-09-06 19:04:34 +02:00
Maycon Santos
bdbd1db843
[client] Avoid panic when there is no conn client (#2541) 2024-09-05 15:09:46 +02:00