sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-16 21:59:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

[client] filter CGNAT and CNI addresses from ICE candidates

Browse Source 
In Kubernetes environments using Cilium or similar CNI plugins, pod
 CIDR addresses (e.g. 100.65.x.x) from the RFC 6598 CGNAT range
 (100.64.0.0/10) were being gathered as valid ICE host candidates.
 This caused WireGuard endpoints to resolve to non-routable pod IPs,
 producing overlay-routed connections with degraded latency instead of
 true P2P paths between hosts.

 Add three layers of defense:
 - Expand the default interface blacklist with common Kubernetes CNI
   interface prefixes (cilium_, lxc, cali, flannel, cni, weave)
 - Filter local and remote ICE candidates whose addresses fall within
   the CGNAT range but outside the NetBird WireGuard network
 - Reject UDP mux writes to CGNAT addresses as a defense-in-depth
   fallback
This commit is contained in:
Zoltán Papp
2026-03-09 16:30:11 +01:00
parent 11eb725ac8
commit 09da089a90
3 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
client/internal/profilemanager/config.go
View File

@@ -42,6 +42,8 @@ const (
var DefaultInterfaceBlacklist = []string{
iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
"Tailscale", "tailscale", "docker", "veth", "br-", "lo",
// Kubernetes CNI interfaces
"cilium_", "cilium", "lxc", "cali", "flannel", "cni", "weave",
}
// ConfigInput carries configuration changes to the client