* Feat add basic support for IPv6 networks
Newly generated networks automatically generate an IPv6 prefix of size
64 within the ULA address range, devices obtain a randomly generated
address within this prefix.
Currently, this is Linux only and does not yet support all features
(routes currently cause an error).
* Fix firewall configuration for IPv6 networks
* Fix routing configuration for IPv6 networks
* Feat provide info on IPv6 support for specific client to mgmt server
* Feat allow configuration of IPv6 support through API, improve stability
* Feat add IPv6 support to new firewall implementation
* Fix peer list item response not containing IPv6 address
* Fix nftables breaking on IPv6 address change
* Fix build issues for non-linux systems
* Fix intermittent disconnections when IPv6 is enabled
* Fix test issues and make some minor revisions
* Fix some more testing issues
* Fix more CI issues due to IPv6
* Fix more testing issues
* Add inheritance of IPv6 enablement status from groups
* Fix IPv6 events not having associated messages
* Address first review comments regarding IPv6 support
* Fix IPv6 table being created even when IPv6 is disabled
Also improved stability of IPv6 route and firewall handling on client side
* Fix IPv6 routes not being removed
* Fix DNS IPv6 issues, limit IPv6 nameservers to IPv6 peers
* Improve code for IPv6 DNS server selection, add AAAA custom records
* Ensure IPv6 routes can only exist for IPv6 routing peers
* Fix IPv6 network generation randomness
* Fix a bunch of compilation issues and test failures
* Replace method calls that are unavailable in Go 1.21
* Fix nil dereference in cleanUpDefaultForwardRules6
* Fix nil pointer dereference when persisting IPv6 network in sqlite
* Clean up of client-side code changes for IPv6
* Fix nil dereference in rule mangling and compilation issues
* Add a bunch of client-side test cases for IPv6
* Fix IPv6 tests running on unsupported environments
* Fix import cycle in tests
* Add missing method SupportsIPv6() for windows
* Require IPv6 default route for IPv6 tests
* Fix panics in routemanager tests on non-linux
* Fix some more route manager tests concerning IPv6
* Add some final client-side tests
* Add IPv6 tests for management code, small fixes
* Fix linting issues
* Fix small test suite issues
* Fix linter issues and builds on macOS and Windows again
* fix builds for iOS because of IPv6 breakage
This PR implements the following posture checks:
* Agent minimum version allowed
* OS minimum version allowed
* Geo-location based on connection IP
For the geo-based location, we rely on GeoLite2 databases which are free IP geolocation databases. MaxMind was tested and we provide a script that easily allows to download of all necessary files, see infrastructure_files/download-geolite2.sh.
The OpenAPI spec should extensively cover the life cycle of current version posture checks.
We allow service users with user role read-only access
to all resources so users can create service user and propagate
PATs without having to give full admin permissions.
* Update user's last login when authenticating a peer
Prior to this update the user's last login only updated on dashboard authentication
* use account and user methods
This PR adds support to Owner roles.
The owner role has a similar access level as the admin, but it has the power to delete the account.
Besides that, the role has the following constraints:
- The role can only be transferred. So, only a user with the owner role can transfer the owner role to a new user
- It can't be assigned to users being invited
- It can't be assigned to service users
Restructure data handling for improved performance and flexibility.
Introduce 'G'-prefixed fields to represent Gorm relations, simplifying resource management.
Eliminate complexity in lookup tables for enhanced query and write speed.
Enable independent operations on data structures, requiring adjustments in the Store interface and Account Manager.
The ephemeral manager keep the inactive ephemeral peers in a linked list. The manager schedule a cleanup procedure to the head of the linked list (to the most deprecated peer). At the end of cleanup schedule the next cleanup to the new head.
If a device connect back to the server the manager will remote it from the peers list.
With this fix, all nested slices and pointers will be copied by value.
Also, this fixes tests to compare the original and copy account by their
values by marshaling them to JSON strings.
Before that, they were copying the pointers that also passed the simple `=` compassion
(as the addresses match).
* Extend protocol and firewall manager to handle old management
* Send correct empty firewall rules list when delete peer
* Add extra tests for firewall manager and uspfilter
* Work with inconsistent state
* Review note
* Update comment
* Avoid storing account if no peer meta or expiration change
* remove extra log
* Update management/server/peer.go
Co-authored-by: Misha Bragin <bangvalo@gmail.com>
* Clarify why we need to skip account update
---------
Co-authored-by: Misha Bragin <bangvalo@gmail.com>
The new functionality allows blocking a user in the Management service.
Blocked users lose access to the Dashboard, aren't able to modify the network map,
and all of their connected devices disconnect and are set to the "login expired" state.
Technically all above was achieved with the updated PUT /api/users endpoint,
that was extended with the is_blocked field.
