sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-18 16:26:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

[client] Add IPv6 support to ACL manager, USP filter, and forwarder (#5688)

Browse Source
This commit is contained in:
Viktor Liu
2026-04-09 16:56:08 +08:00
committed by GitHub
parent a1e7db2713
commit 1c4e5e71d7
78 changed files with 3606 additions and 1071 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
client/internal/debug/debug_test.go
View File

@@ -430,8 +430,6 @@ func isInCGNATRange(ip net.IP) bool {
}
func TestAnonymizeFirewallRules(t *testing.T) {
// TODO: Add ipv6
// Example iptables-save output
iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
*filter
@@ -467,17 +465,31 @@ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination`
// Example nftables output
// Example ip6tables-save output
ip6tablesSave := `# Generated by ip6tables-save v1.8.7 on Thu Dec 19 10:00:00 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s fd00:1234::1/128 -j ACCEPT
-A INPUT -s 2607:f8b0:4005::1/128 -j DROP
-A FORWARD -s 2001:db8::/32 -d 2607:f8b0:4005::200e/128 -j ACCEPT
COMMIT`
// Example nftables output with IPv6
nftablesRules := `table inet filter {
chain input {
type filter hook input priority filter; policy accept;
ip saddr 192.168.1.1 accept
ip saddr 44.192.140.1 drop
ip6 saddr 2607:f8b0:4005::1 drop
ip6 saddr fd00:1234::1 accept
}
chain forward {
type filter hook forward priority filter; policy accept;
ip saddr 10.0.0.0/8 drop
ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
ip6 saddr 2001:db8::/32 ip6 daddr 2607:f8b0:4005::200e/128 accept
}
}`
@@ -540,4 +552,35 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
assert.Contains(t, anonNftables, "table inet filter {")
assert.Contains(t, anonNftables, "chain input {")
assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
// IPv6 public addresses in nftables should be anonymized
assert.NotContains(t, anonNftables, "2607:f8b0:4005::1")
assert.NotContains(t, anonNftables, "2607:f8b0:4005::200e")
assert.NotContains(t, anonNftables, "2001:db8::")
assert.Contains(t, anonNftables, "2001:db8:ffff::") // Default anonymous v6 range
// ULA addresses in nftables should remain unchanged (private)
assert.Contains(t, anonNftables, "fd00:1234::1")
// IPv6 nftables structure preserved
assert.Contains(t, anonNftables, "ip6 saddr")
assert.Contains(t, anonNftables, "ip6 daddr")
// Test ip6tables-save anonymization
anonIp6tablesSave := anonymizer.AnonymizeString(ip6tablesSave)
// ULA (private) IPv6 should remain unchanged
assert.Contains(t, anonIp6tablesSave, "fd00:1234::1/128")
// Public IPv6 addresses should be anonymized
assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::1")
assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::200e")
assert.NotContains(t, anonIp6tablesSave, "2001:db8::")
assert.Contains(t, anonIp6tablesSave, "2001:db8:ffff::") // Default anonymous v6 range
// Structure should be preserved
assert.Contains(t, anonIp6tablesSave, "*filter")
assert.Contains(t, anonIp6tablesSave, "COMMIT")
assert.Contains(t, anonIp6tablesSave, "-j DROP")
assert.Contains(t, anonIp6tablesSave, "-j ACCEPT")
}