e9f11fb11b
Replace net.IP with netip.Addr ( #3425 )
2025-03-05 18:28:05 +01:00
419ed275fa
Handle TCP RST flag to transition connection state to closed ( #3432 )
2025-03-05 18:25:42 +01:00
8c81a823fa
Add flow ACL IDs ( #3421 )
2025-03-04 16:43:07 +01:00
1e10c17ecb
Fix tcp state ( #3431 )
2025-03-04 11:19:54 +01:00
96d5190436
Add icmp type and code to forwarder flow event ( #3413 )
2025-02-28 21:04:07 +01:00
d19c26df06
Fix log direction ( #3412 )
2025-02-28 21:03:40 +01:00
36e36414d9
Fix forwarder log displaying ( #3411 )
2025-02-28 20:53:01 +01:00
6ead0ff95e
Fix log format
2025-02-28 20:24:23 +01:00
0db65a8984
Add routed packet drop flow ( #3410 )
2025-02-28 20:04:59 +01:00
637c0c8949
Add icmp type and code ( #3409 )
2025-02-28 19:16:42 +01:00
c72e13d8e6
Add conntrack flows ( #3406 )
2025-02-28 19:16:29 +01:00
f6d7bccfa0
Add flow client with sender/receiver ( #3405 )
...
add an initial version of receiver client and flow manager receiver and sender
2025-02-28 17:16:18 +00:00
fa748a7ec2
Add userspace flow implementation ( #3393 )
2025-02-28 11:08:35 +01:00
f8fd65a65f
Merge branch 'main' into feature/port-forwarding
2025-02-25 11:37:52 +01:00
a74208abac
[client] Fix udp forwarder deadline ( #3364 )
2025-02-21 18:51:52 +01:00
630edf2480
Remove unused var
2025-02-20 13:24:37 +01:00
ea469d28d7
Merge branch 'main' into feature/port-forwarding
2025-02-20 13:24:05 +01:00
631ef4ed28
[client] Add embeddable library ( #3239 )
2025-02-20 13:22:03 +01:00
8755211a60
Merge branch 'main' into feature/port-forwarding
2025-02-20 11:39:06 +01:00
b41de7fcd1
[client] Enable userspace forwarder conditionally ( #3309 )
...
* Enable userspace forwarder conditionally
* Move disable/enable logic
2025-02-12 11:10:49 +01:00
05415f72ec
[client] Add experimental support for userspace routing ( #3134 )
2025-02-07 14:11:53 +01:00
1b011a2d85
[client] Manage the IP forwarding sysctl setting in global way ( #3270 )
...
Add new package ipfwdstate that implements reference counting for IP forwarding
state management. This allows multiple usage to safely request IP forwarding
without interfering with each other.
2025-02-03 12:27:18 +01:00
a76ca8c565
Merge branch 'main' into feature/port-forwarding
2025-01-29 22:28:10 +01:00
26693e4ea8
Feature/port forwarding client ingress ( #3242 )
...
Client-side forward handling
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com >
---------
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com >
2025-01-29 16:04:33 +01:00
e20be2397c
[client] Add missing peer ACL flush ( #3247 )
2025-01-28 23:25:22 +01:00
5c05131a94
[client] Support port ranges in peer ACLs ( #3232 )
2025-01-27 13:51:57 +01:00
eb2ac039c7
[client] Mark redirected traffic early to match input filters on pre-DNAT ports ( #3205 )
2025-01-23 18:00:51 +01:00
5a82477d48
[client] Remove outbound chains ( #3157 )
2025-01-15 16:57:41 +01:00
d9905d1a57
[client] Add disable system flags ( #3153 )
2025-01-07 20:38:18 +01:00
abbdf20f65
[client] Allow inbound rosenpass port ( #3109 )
2024-12-31 14:08:48 +01:00
b3c87cb5d1
[client] Fix inbound tracking in userspace firewall ( #3111 )
...
* Don't create state for inbound SYN
* Allow final ack in some cases
* Relax state machine test a little
2024-12-26 00:51:27 +01:00
ad9f044aad
[client] Add stateful userspace firewall and remove egress filters ( #3093 )
...
- Add stateful firewall functionality for UDP/TCP/ICMP in userspace firewalll
- Removes all egress drop rules/filters, still needs refactoring so we don't add output rules to any chains/filters.
- on Linux, if the OUTPUT policy is DROP then we don't do anything about it (no extra allow rules). This is up to the user, if they don't want anything leaving their machine they'll have to manage these rules explicitly.
2024-12-23 18:22:17 +01:00
8866394eb6
[client] Don't choke on non-existent interface in route updates ( #2922 )
2024-12-03 15:33:41 +01:00
5142dc52c1
[client] Persist route selection ( #2810 )
2024-12-02 17:55:02 +01:00
0ecd5f2118
[client] Test nftables for incompatible iptables rules ( #2948 )
2024-11-25 15:11:56 +01:00
940d0c48c6
[client] Don't return error in userspace mode without firewall ( #2924 )
2024-11-25 15:11:31 +01:00
1bbabf70b0
[client] Fix allow netbird rule verdict ( #2925 )
...
* Fix allow netbird rule verdict
* Fix chain name
2024-11-21 16:53:37 +01:00
39329e12a1
[client] Improve state write timeout and abort work early on timeout ( #2882 )
...
* Improve state write timeout and abort work early on timeout
* Don't block on initial persist state
2024-11-13 13:46:00 +01:00
509e184e10
[client] Use the prerouting chain to mark for masquerading to support older systems ( #2808 )
2024-11-07 12:37:04 +01:00
940f8b4547
[client] Remove legacy forwarding rules in userspace mode ( #2782 )
2024-10-28 12:29:29 +01:00
0fd874fa45
[client] Make native firewall init fail firewall creation ( #2784 )
2024-10-28 10:02:27 +01:00
8016710d24
[client] Cleanup firewall state on startup ( #2768 )
2024-10-24 14:46:24 +02:00
869537c951
[client] Cleanup dns and route states on startup ( #2757 )
2024-10-24 10:53:46 +02:00
8c8900be57
[client] Exclude loopback from NAT ( #2747 )
2024-10-16 17:35:59 +02:00
3a88ac78ff
[client] Add table filter rules using iptables ( #2727 )
...
This specifically concerns the established/related rule since this one is not compatible with iptables-nft even if it is generated the same way by iptables-translate.
2024-10-12 10:44:48 +02:00
09bdd271f1
[client] Improve route acl ( #2705 )
...
- Update nftables library to v0.2.0
- Mark traffic that was originally destined for local and applies the input rules in the forward chain if said traffic was redirected (e.g. by Docker)
- Add nft rules to internal map only if flush was successful
- Improve error message if handle is 0 (= not found or hasn't been refreshed)
- Add debug logging when route rules are added
- Replace nftables userdata (rule ID) with a rule hash
2024-10-10 15:54:34 +02:00
fd67892cb4
[client] Refactor/iface pkg ( #2646 )
...
Refactor the flat code structure
2024-10-02 18:24:22 +02:00
ff7863785f
[management, client] Add access control support to network routes ( #2100 )
2024-10-02 13:41:00 +02:00
926e11b086
Remove default allow for UDP on unmatched packet ( #2300 )
...
This fixes an issue where UDP rules were ineffective for userspace clients (Windows/macOS)
2024-07-22 15:35:17 +02:00
6aae797baf
Add loopback ignore rule to nat chains ( #2190 )
...
This makes sure loopback traffic is not affected by NAT
2024-06-25 09:43:36 +02:00
