035c5d9f23
[management merge only unique entries on network map merge ( #3277 )
2025-02-05 16:50:45 +01:00
b2a5b29fb2
Merge branch 'main' into feature/port-forwarding
2025-02-05 10:15:37 +01:00
0125cd97d8
[client] use embedded root CA if system certpool is empty ( #3272 )
...
* Implement custom TLS certificate handling with fallback to embedded roots
2025-02-04 18:17:59 +03:00
f930ef2ee6
Cleanup magiconair usage from repo ( #3276 )
2025-02-03 17:54:35 +01:00
1b011a2d85
[client] Manage the IP forwarding sysctl setting in global way ( #3270 )
...
Add new package ipfwdstate that implements reference counting for IP forwarding
state management. This allows multiple usage to safely request IP forwarding
without interfering with each other.
2025-02-03 12:27:18 +01:00
a85ea1ddb0
[manager] ingress ports manager support ( #3268 )
...
* add peers manager
* Extend peers manager to support retrieving all peers
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
* add network map calc
* move integrations interface
* update management-integrations
* merge main and fix
* go mod tidy
* [management] port forwarding add peer manager fix network map (#3264 )
* [management] fix testing tools (#3265 )
* Fix net.IPv4 conversion to []byte
* update test to check ipv4
---------
Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Zoltán Papp <zoltan.pmail@gmail.com >
2025-02-03 09:37:37 +01:00
829e40d2aa
Fix ingress manager unnecessary creation
2025-02-01 10:58:47 +01:00
a76ca8c565
Merge branch 'main' into feature/port-forwarding
2025-01-29 22:28:10 +01:00
26693e4ea8
Feature/port forwarding client ingress ( #3242 )
...
Client-side forward handling
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com >
---------
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com >
2025-01-29 16:04:33 +01:00
e20be2397c
[client] Add missing peer ACL flush ( #3247 )
2025-01-28 23:25:22 +01:00
a7ddb8f1f8
[client] Replace engine probes with direct calls ( #3195 )
2025-01-28 12:25:45 +01:00
a32ec97911
[client] Use dynamic dns route resolution on iOS ( #3243 )
2025-01-27 18:13:10 +01:00
5c05131a94
[client] Support port ranges in peer ACLs ( #3232 )
2025-01-27 13:51:57 +01:00
eb2ac039c7
[client] Mark redirected traffic early to match input filters on pre-DNAT ports ( #3205 )
2025-01-23 18:00:51 +01:00
790a9ed7df
[client] Match more specific dns handler first ( #3226 )
2025-01-23 18:00:05 +01:00
2e61ce006d
[client] Back up corrupted state files and present them in the debug bundle ( #3227 )
2025-01-23 17:59:44 +01:00
3cc485759e
[client] Use correct stdout/stderr log paths for debug bundle on macOS ( #3231 )
2025-01-23 17:59:22 +01:00
aafa9c67fc
[client] Fix freebsd default routes ( #3230 )
2025-01-23 16:57:11 +01:00
c619bf5b0c
[client] Allow freebsd to build netbird-ui ( #3212 )
2025-01-20 11:02:09 +01:00
9f4db0a953
[client] Close ice agent only if not nil ( #3210 )
2025-01-18 00:18:59 +01:00
3e9f0d57ac
[client] Fix windows info out of bounds panic ( #3196 )
2025-01-16 22:19:32 +01:00
bc7b2c6ba3
[client] Report client system flags to management server on login ( #3187 )
2025-01-16 13:58:00 +01:00
992a6c79b4
[client] Flush macOS DNS cache after changes ( #3185 )
2025-01-15 23:26:31 +01:00
78795a4a73
[client] Add block lan access flag for routers ( #3171 )
2025-01-15 17:39:47 +01:00
5a82477d48
[client] Remove outbound chains ( #3157 )
2025-01-15 16:57:41 +01:00
e4a25b6a60
[client-android] add serial, product model, product manufacturer ( #2958 )
...
Signed-off-by: Edouard Vanbelle <edouard.vanbelle@shadow.tech >
2025-01-15 16:02:16 +01:00
b34887a920
[client] Fix a panic on shutdown if dns host manager failed to initialize ( #3182 )
2025-01-15 13:14:46 +01:00
b9efda3ce8
[client] Disable DNS host manager for netstack mode ( #3183 )
2025-01-15 13:14:13 +01:00
15f0a665f8
[client] Allow ssh server on freebsd ( #3170 )
...
* Enable ssh server on freebsd
* Fix listening in netstack mode
* Fix panic if login cmd fails
* Tidy up go mod
2025-01-14 12:43:13 +01:00
9b5b632ff9
[client] Support non-openresolv for DNS on Linux ( #3176 )
2025-01-14 10:39:37 +01:00
522dd44bfa
[client] make /var/lib/netbird paths configurable ( #3084 )
...
- NB_STATE_DIR
- NB_UNCLEAN_SHUTDOWN_RESOLV_FILE
- NB_DNS_STATE_FILE
2025-01-13 10:15:01 +01:00
f48e33b395
[client] Don't fail on v6 ops when disabled via kernel params ( #3165 )
2025-01-10 18:16:21 +01:00
93f3e1b14b
[client] Prevent local routes in status from being overridden by updates ( #3166 )
2025-01-10 11:02:05 +01:00
d9905d1a57
[client] Add disable system flags ( #3153 )
2025-01-07 20:38:18 +01:00
6848e1e128
[client] Add rootless container and fix client routes in netstack mode ( #3150 )
2025-01-06 14:16:31 +01:00
f08605a7f1
[client] Enable network map persistence by default ( #3152 )
2025-01-06 14:11:43 +01:00
abbdf20f65
[client] Allow inbound rosenpass port ( #3109 )
2024-12-31 14:08:48 +01:00
43ef64cf67
[client] Ignore case when matching domains in handler chain ( #3133 )
2024-12-31 14:07:21 +01:00
b3c87cb5d1
[client] Fix inbound tracking in userspace firewall ( #3111 )
...
* Don't create state for inbound SYN
* Allow final ack in some cases
* Relax state machine test a little
2024-12-26 00:51:27 +01:00
0dbaddc7be
[client] Don't fail debug if log file is console ( #3103 )
2024-12-24 15:05:23 +01:00
ad9f044aad
[client] Add stateful userspace firewall and remove egress filters ( #3093 )
...
- Add stateful firewall functionality for UDP/TCP/ICMP in userspace firewalll
- Removes all egress drop rules/filters, still needs refactoring so we don't add output rules to any chains/filters.
- on Linux, if the OUTPUT policy is DROP then we don't do anything about it (no extra allow rules). This is up to the user, if they don't want anything leaving their machine they'll have to manage these rules explicitly.
2024-12-23 18:22:17 +01:00
05930ee6b1
[client] Add firewall rules to the debug bundle ( #3089 )
...
Adds the following to the debug bundle:
- iptables: `iptables-save`, `iptables -v -n -L`
- nftables: `nft list ruleset` or if not available formatted output from netlink (WIP)
2024-12-23 15:57:15 +01:00
b48cf1bf65
[client] Reduce DNS handler chain lock contention ( #3099 )
2024-12-21 15:56:52 +01:00
82b4e58ad0
Do not start DNS forwarder on client side ( #3094 )
2024-12-20 16:20:50 +01:00
ddc365f7a0
[client, management] Add new network concept ( #3047 )
...
---------
Co-authored-by: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com >
Co-authored-by: bcmmbaga <bethuelmbaga12@gmail.com >
Co-authored-by: Maycon Santos <mlsmaycon@gmail.com >
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com >
2024-12-20 11:30:28 +01:00
37ad370344
[client] Avoid using iota on mixed const block ( #3057 )
...
Used the values as resolved when the first iota value was the second const in the block.
2024-12-16 18:09:31 +01:00
3844516aa7
[client] fix: reformat IPv6 ICE addresses when punching ( #3050 )
...
Should fix #2327 and #2606 by checking for IPv6 addresses from ICE
2024-12-16 09:58:54 +01:00
a4a30744ad
Fix race condition with systray ready ( #2993 )
2024-12-14 12:17:53 -08:00
dcba6a6b7e
fix: client/Dockerfile to reduce vulnerabilities ( #3019 )
...
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201
- https://snyk.io/vuln/SNYK-ALPINE320-OPENSSL-8235201
Co-authored-by: snyk-bot <snyk-bot@snyk.io >
2024-12-11 16:46:51 +01:00
2147bf75eb
[client] Add peer conn init limit ( #3001 )
...
Limit the peer connection initialization to 200 peers at the same time
2024-12-09 17:10:31 +01:00
