609654eee7
[client] Allow userspace local forwarding to internal interfaces if requested ( #3884 )
2025-06-04 18:12:48 +02:00
ea4d13e96d
[client] Use platform-native routing APIs for freeBSD, macOS and Windows
2025-06-04 16:28:58 +02:00
1ce4ee0cef
[client] Add block inbound flag to disallow inbound connections of any kind ( #3897 )
2025-06-03 10:53:27 +02:00
41cd4952f1
[client] Apply return traffic rules only if firewall is stateless ( #3895 )
2025-06-02 12:11:54 +02:00
84bfecdd37
[client] add byte counters & ruleID for routed traffic on userspace ( #3653 )
...
* [client] add byte counters for routed traffic on userspace
* [client] add allowed ruleID for routed traffic on userspace
2025-04-28 10:10:41 +03:00
3cf87b6846
[client] Run container tests more generically ( #3737 )
2025-04-25 18:50:44 +02:00
ef8b8a2891
[client] Ensure dst-type local marks can overwrite nat marks ( #3738 )
2025-04-25 12:43:20 +02:00
4a9049566a
[client] Set up firewall rules for dns routes dynamically based on dns response ( #3702 )
2025-04-24 17:37:28 +02:00
85f92f8321
[client] Add more userspace filter ACL test cases ( #3730 )
2025-04-24 12:57:46 +02:00
192c97aa63
[client] Support IP fragmentation in userspace ( #3639 )
2025-04-08 12:49:14 +02:00
6162aeb82d
[client] Mark netbird data plane traffic to identify interface traffic correctly ( #3623 )
2025-04-07 13:14:56 +02:00
df9c1b9883
[client] Improve TCP conn tracking ( #3572 )
2025-04-05 11:42:15 +02:00
5752bb78f2
[client] Fix missing inbound flows in Linux userspace mode with native router ( #3624 )
...
* Fix missing inbound flows in Linux userspace mode with native router
* Fix route enable/disable order for userspace mode
2025-04-05 11:41:31 +02:00
48ffec95dd
Improve local ip lookup ( #3551 )
...
- lower memory footprint in most cases
- increase accuracy
2025-03-31 10:05:57 +02:00
29a6e5be71
[client] Stop flow grpc receiver properly ( #3596 )
2025-03-28 16:08:31 +01:00
99b41543b8
[client] Fix flows for embedded listeners ( #3564 )
2025-03-22 18:51:48 +01:00
c02e236196
[client,management] add netflow support to client and update management ( #3414 )
...
adds NetFlow functionality to track and log network traffic information between peers, with features including:
- Flow logging for TCP, UDP, and ICMP traffic
- Integration with connection tracking system
- Resource ID tracking in NetFlow events
- DNS and exit node collection configuration
- Flow API and Redis cache in management
- Memory-based flow storage implementation
- Kernel conntrack counters and userspace counters
- TCP state machine improvements for more accurate tracking
- Migration from net.IP to netip.Addr in the userspace firewall
2025-03-20 17:05:48 +01:00
80ceb80197
[client] Ignore candidates that are part of the the wireguard subnet ( #3472 )
2025-03-10 13:59:21 +01:00
6bef474e9e
[client] Prevent panic in case of double close call ( #3475 )
...
Prevent panic in case of double close call
2025-03-10 13:16:28 +01:00
fc1da94520
[client, management] Add port forwarding ( #3275 )
...
Add initial support to ingress ports on the client code.
- new types where added
- new protocol messages and controller
2025-03-09 16:06:43 +01:00
bcc5824980
[client] Close userspace firewall properly ( #3426 )
2025-03-04 11:19:42 +01:00
a74208abac
[client] Fix udp forwarder deadline ( #3364 )
2025-02-21 18:51:52 +01:00
631ef4ed28
[client] Add embeddable library ( #3239 )
2025-02-20 13:22:03 +01:00
b41de7fcd1
[client] Enable userspace forwarder conditionally ( #3309 )
...
* Enable userspace forwarder conditionally
* Move disable/enable logic
2025-02-12 11:10:49 +01:00
05415f72ec
[client] Add experimental support for userspace routing ( #3134 )
2025-02-07 14:11:53 +01:00
e20be2397c
[client] Add missing peer ACL flush ( #3247 )
2025-01-28 23:25:22 +01:00
5c05131a94
[client] Support port ranges in peer ACLs ( #3232 )
2025-01-27 13:51:57 +01:00
eb2ac039c7
[client] Mark redirected traffic early to match input filters on pre-DNAT ports ( #3205 )
2025-01-23 18:00:51 +01:00
5a82477d48
[client] Remove outbound chains ( #3157 )
2025-01-15 16:57:41 +01:00
d9905d1a57
[client] Add disable system flags ( #3153 )
2025-01-07 20:38:18 +01:00
abbdf20f65
[client] Allow inbound rosenpass port ( #3109 )
2024-12-31 14:08:48 +01:00
b3c87cb5d1
[client] Fix inbound tracking in userspace firewall ( #3111 )
...
* Don't create state for inbound SYN
* Allow final ack in some cases
* Relax state machine test a little
2024-12-26 00:51:27 +01:00
ad9f044aad
[client] Add stateful userspace firewall and remove egress filters ( #3093 )
...
- Add stateful firewall functionality for UDP/TCP/ICMP in userspace firewalll
- Removes all egress drop rules/filters, still needs refactoring so we don't add output rules to any chains/filters.
- on Linux, if the OUTPUT policy is DROP then we don't do anything about it (no extra allow rules). This is up to the user, if they don't want anything leaving their machine they'll have to manage these rules explicitly.
2024-12-23 18:22:17 +01:00
8866394eb6
[client] Don't choke on non-existent interface in route updates ( #2922 )
2024-12-03 15:33:41 +01:00
5142dc52c1
[client] Persist route selection ( #2810 )
2024-12-02 17:55:02 +01:00
0ecd5f2118
[client] Test nftables for incompatible iptables rules ( #2948 )
2024-11-25 15:11:56 +01:00
940d0c48c6
[client] Don't return error in userspace mode without firewall ( #2924 )
2024-11-25 15:11:31 +01:00
1bbabf70b0
[client] Fix allow netbird rule verdict ( #2925 )
...
* Fix allow netbird rule verdict
* Fix chain name
2024-11-21 16:53:37 +01:00
39329e12a1
[client] Improve state write timeout and abort work early on timeout ( #2882 )
...
* Improve state write timeout and abort work early on timeout
* Don't block on initial persist state
2024-11-13 13:46:00 +01:00
509e184e10
[client] Use the prerouting chain to mark for masquerading to support older systems ( #2808 )
2024-11-07 12:37:04 +01:00
940f8b4547
[client] Remove legacy forwarding rules in userspace mode ( #2782 )
2024-10-28 12:29:29 +01:00
0fd874fa45
[client] Make native firewall init fail firewall creation ( #2784 )
2024-10-28 10:02:27 +01:00
8016710d24
[client] Cleanup firewall state on startup ( #2768 )
2024-10-24 14:46:24 +02:00
869537c951
[client] Cleanup dns and route states on startup ( #2757 )
2024-10-24 10:53:46 +02:00
8c8900be57
[client] Exclude loopback from NAT ( #2747 )
2024-10-16 17:35:59 +02:00
3a88ac78ff
[client] Add table filter rules using iptables ( #2727 )
...
This specifically concerns the established/related rule since this one is not compatible with iptables-nft even if it is generated the same way by iptables-translate.
2024-10-12 10:44:48 +02:00
09bdd271f1
[client] Improve route acl ( #2705 )
...
- Update nftables library to v0.2.0
- Mark traffic that was originally destined for local and applies the input rules in the forward chain if said traffic was redirected (e.g. by Docker)
- Add nft rules to internal map only if flush was successful
- Improve error message if handle is 0 (= not found or hasn't been refreshed)
- Add debug logging when route rules are added
- Replace nftables userdata (rule ID) with a rule hash
2024-10-10 15:54:34 +02:00
fd67892cb4
[client] Refactor/iface pkg ( #2646 )
...
Refactor the flat code structure
2024-10-02 18:24:22 +02:00
ff7863785f
[management, client] Add access control support to network routes ( #2100 )
2024-10-02 13:41:00 +02:00
926e11b086
Remove default allow for UDP on unmatched packet ( #2300 )
...
This fixes an issue where UDP rules were ineffective for userspace clients (Windows/macOS)
2024-07-22 15:35:17 +02:00
