[management, client] Add IPv6 overlay support (#5631)

client/internal/debug/debug_test.go

@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"net"
+	"net/netip"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -21,8 +22,16 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/shared/netiputil"
 )
 
+func mustEncodePrefix(t *testing.T, p netip.Prefix) []byte {
+	t.Helper()
+	b, err := netiputil.EncodePrefix(p)
+	require.NoError(t, err)
+	return b
+}
+
 func TestAnonymizeStateFile(t *testing.T) {
 	testState := map[string]json.RawMessage{
 		"null_state": json.RawMessage("null"),
@@ -173,7 +182,7 @@ func TestAnonymizeStateFile(t *testing.T) {
 	assert.Equal(t, "100.64.0.1", state["protected_ip"]) // Protected IP unchanged
 	assert.Equal(t, "8.8.8.8", state["well_known_ip"])   // Well-known IP unchanged
 	assert.NotEqual(t, "2001:db8::1", state["ipv6_addr"])
-	assert.Equal(t, "fd00::1", state["private_ipv6"]) // Private IPv6 unchanged
+	assert.NotEqual(t, "fd00::1", state["private_ipv6"]) // ULA IPv6 anonymized (global ID is a fingerprint)
 	assert.NotEqual(t, "test.example.com", state["domain"])
 	assert.True(t, strings.HasSuffix(state["domain"].(string), ".domain"))
 	assert.Equal(t, "device.netbird.cloud", state["netbird_domain"]) // Netbird domain unchanged
@@ -277,11 +286,13 @@ func mustMarshal(v any) json.RawMessage {
 }
 
 func TestAnonymizeNetworkMap(t *testing.T) {
+	origV6Prefix := netip.MustParsePrefix("2001:db8:abcd::5/64")
 	networkMap := &mgmProto.NetworkMap{
 		PeerConfig: &mgmProto.PeerConfig{
-			Address: "203.0.113.5",
-			Dns:     "1.2.3.4",
-			Fqdn:    "peer1.corp.example.com",
+			Address:   "203.0.113.5",
+			AddressV6: mustEncodePrefix(t, origV6Prefix),
+			Dns:       "1.2.3.4",
+			Fqdn:      "peer1.corp.example.com",
 			SshConfig: &mgmProto.SSHConfig{
 				SshPubKey: []byte("ssh-rsa AAAAB3NzaC1..."),
 			},
@@ -355,6 +366,12 @@ func TestAnonymizeNetworkMap(t *testing.T) {
 	require.NotEqual(t, "peer1.corp.example.com", peerCfg.Fqdn)
 	require.True(t, strings.HasSuffix(peerCfg.Fqdn, ".domain"))
 
+	// Verify AddressV6 is anonymized but preserves prefix length
+	anonV6Prefix, err := netiputil.DecodePrefix(peerCfg.AddressV6)
+	require.NoError(t, err)
+	assert.Equal(t, origV6Prefix.Bits(), anonV6Prefix.Bits(), "prefix length must be preserved")
+	assert.NotEqual(t, origV6Prefix.Addr(), anonV6Prefix.Addr(), "IPv6 address must be anonymized")
+
 	// Verify SSH key is replaced
 	require.Equal(t, []byte("ssh-placeholder-key"), peerCfg.SshConfig.SshPubKey)
 
@@ -660,8 +677,6 @@ func isInCGNATRange(ip net.IP) bool {
 }
 
 func TestAnonymizeFirewallRules(t *testing.T) {
-	// TODO: Add ipv6
-
 	// Example iptables-save output
 	iptablesSave := `# Generated by iptables-save v1.8.7 on Thu Dec 19 10:00:00 2024
 *filter
@@ -697,17 +712,31 @@ Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination`
 
-	// Example nftables output
+	// Example ip6tables-save output
+	ip6tablesSave := `# Generated by ip6tables-save v1.8.7 on Thu Dec 19 10:00:00 2024
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -s fd00:1234::1/128 -j ACCEPT
+-A INPUT -s 2607:f8b0:4005::1/128 -j DROP
+-A FORWARD -s 2001:db8::/32 -d 2607:f8b0:4005::200e/128 -j ACCEPT
+COMMIT`
+
+	// Example nftables output with IPv6
 	nftablesRules := `table inet filter {
         chain input {
                 type filter hook input priority filter; policy accept;
                 ip saddr 192.168.1.1 accept
                 ip saddr 44.192.140.1 drop
+                ip6 saddr 2607:f8b0:4005::1 drop
+                ip6 saddr fd00:1234::1 accept
         }
         chain forward {
                 type filter hook forward priority filter; policy accept;
                 ip saddr 10.0.0.0/8 drop
                 ip saddr 44.192.140.0/24 ip daddr 52.84.12.34/24 accept
+                ip6 saddr 2001:db8::/32 ip6 daddr 2607:f8b0:4005::200e/128 accept
         }
     }`
 
@@ -770,6 +799,37 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 	assert.Contains(t, anonNftables, "table inet filter {")
 	assert.Contains(t, anonNftables, "chain input {")
 	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
+
+	// IPv6 public addresses in nftables should be anonymized
+	assert.NotContains(t, anonNftables, "2607:f8b0:4005::1")
+	assert.NotContains(t, anonNftables, "2607:f8b0:4005::200e")
+	assert.NotContains(t, anonNftables, "2001:db8::")
+	assert.Contains(t, anonNftables, "2001:db8:ffff::") // Default anonymous v6 range
+
+	// ULA addresses in nftables should be anonymized (global ID is a fingerprint)
+	assert.NotContains(t, anonNftables, "fd00:1234::1")
+
+	// IPv6 nftables structure preserved
+	assert.Contains(t, anonNftables, "ip6 saddr")
+	assert.Contains(t, anonNftables, "ip6 daddr")
+
+	// Test ip6tables-save anonymization
+	anonIp6tablesSave := anonymizer.AnonymizeString(ip6tablesSave)
+
+	// ULA IPv6 should be anonymized (global ID is a fingerprint)
+	assert.NotContains(t, anonIp6tablesSave, "fd00:1234::1/128")
+
+	// Public IPv6 addresses should be anonymized
+	assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::1")
+	assert.NotContains(t, anonIp6tablesSave, "2607:f8b0:4005::200e")
+	assert.NotContains(t, anonIp6tablesSave, "2001:db8::")
+	assert.Contains(t, anonIp6tablesSave, "2001:db8:ffff::") // Default anonymous v6 range
+
+	// Structure should be preserved
+	assert.Contains(t, anonIp6tablesSave, "*filter")
+	assert.Contains(t, anonIp6tablesSave, "COMMIT")
+	assert.Contains(t, anonIp6tablesSave, "-j DROP")
+	assert.Contains(t, anonIp6tablesSave, "-j ACCEPT")
 }
 
 // TestAddConfig_AllFieldsCovered uses reflection to ensure every field in