[management, client] Add IPv6 overlay support (#5631)

2026-05-16 13:49:58 +00:00 · 2026-05-07 18:33:37 +09:00
parent f23aaa9ae7
commit 205ebcfda2
229 changed files with 10155 additions and 2816 deletions
--- a/client/internal/routemanager/systemops/systemops.go
+++ b/client/internal/routemanager/systemops/systemops.go
@@ -107,8 +107,16 @@ func (r *SysOps) validateRoute(prefix netip.Prefix) error {
 		addr.IsInterfaceLocalMulticast(),
 		addr.IsMulticast(),
 		addr.IsUnspecified() && prefix.Bits() != 0,
-		r.wgInterface.Address().Network.Contains(addr):
+		r.isOwnAddress(addr):
 		return vars.ErrRouteNotAllowed
 	}
 	return nil
 }
+
+func (r *SysOps) isOwnAddress(addr netip.Addr) bool {
+	if r.wgInterface == nil {
+		return false
+	}
+	wgAddr := r.wgInterface.Address()
+	return wgAddr.Network.Contains(addr) || (wgAddr.IPv6Net.IsValid() && wgAddr.IPv6Net.Contains(addr))
+}
--- a/client/internal/routemanager/systemops/systemops_generic.go
+++ b/client/internal/routemanager/systemops/systemops_generic.go
@@ -221,30 +221,20 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 			return err
 		}

-		// TODO: remove once IPv6 is supported on the interface
-		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			return fmt.Errorf("add unreachable route split 1: %w", err)
-		}
-		if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
+		// When the interface has no v6, add v6 split-default as blackhole so
+		// unroutable v6 goes to WG (dropped, no AllowedIPs) instead of leaking
+		// to the system default route. When v6 is active, management sends ::/0
+		// as a separate route that the dedicated handler adds.
+		// Soft-fail: v6 blackhole is best-effort, don't abort v4 routing on failure.
+		if !r.wgInterface.Address().HasIPv6() {
+			if err := r.addV6SplitDefault(nextHop); err != nil {
+				log.Warnf("failed to add v6 split-default blackhole: %s", err)
 			}
-			return fmt.Errorf("add unreachable route split 2: %w", err)
 		}

 		return nil
 	case vars.Defaultv6:
-		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			return fmt.Errorf("add unreachable route split 1: %w", err)
-		}
-		if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
-				log.Warnf("Failed to rollback route addition: %s", err2)
-			}
-			return fmt.Errorf("add unreachable route split 2: %w", err)
-		}
-
-		return nil
+		return r.addV6SplitDefault(nextHop)
 	}

 	return r.addToRouteTable(prefix, nextHop)
@@ -265,30 +255,42 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 			result = multierror.Append(result, err)
 		}

-		// TODO: remove once IPv6 is supported on the interface
-		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			result = multierror.Append(result, err)
+		if !r.wgInterface.Address().HasIPv6() {
+			result = multierror.Append(result, r.removeV6SplitDefault(nextHop))
 		}

 		return nberrors.FormatErrorOrNil(result)
 	case vars.Defaultv6:
-		var result *multierror.Error
-		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-		if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
-			result = multierror.Append(result, err)
-		}
-
-		return nberrors.FormatErrorOrNil(result)
+		return nberrors.FormatErrorOrNil(r.removeV6SplitDefault(nextHop))
 	default:
 		return r.removeFromRouteTable(prefix, nextHop)
 	}
 }

+func (r *SysOps) addV6SplitDefault(nextHop Nexthop) error {
+	if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
+		return fmt.Errorf("add split 1: %w", err)
+	}
+	if err := r.addToRouteTable(splitDefaultv6_2, nextHop); err != nil {
+		if err2 := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err2 != nil {
+			log.Warnf("Failed to rollback v6 split-default: %s", err2)
+		}
+		return fmt.Errorf("add split 2: %w", err)
+	}
+	return nil
+}
+
+func (r *SysOps) removeV6SplitDefault(nextHop Nexthop) *multierror.Error {
+	var result *multierror.Error
+	if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
+		result = multierror.Append(result, err)
+	}
+	if err := r.removeFromRouteTable(splitDefaultv6_2, nextHop); err != nil {
+		result = multierror.Append(result, err)
+	}
+	return result
+}
+
 func (r *SysOps) setupHooks(initAddresses []net.IP, stateManager *statemanager.Manager) error {
 	beforeHook := func(connID hooks.ConnectionID, prefix netip.Prefix) error {
 		if _, err := r.refCounter.IncrementWithID(string(connID), prefix, struct{}{}); err != nil {
--- a/client/internal/routemanager/systemops/systemops_generic_test.go
+++ b/client/internal/routemanager/systemops/systemops_generic_test.go
@@ -21,6 +21,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
@@ -445,7 +446,7 @@ func createWGInterface(t *testing.T, interfaceName, ipAddressCIDR string, listen

 	opts := iface.WGIFaceOpts{
 		IFaceName:    interfaceName,
-		Address:      ipAddressCIDR,
+		Address:      wgaddr.MustParseWGAddress(ipAddressCIDR),
 		WGPrivKey:    peerPrivateKey.String(),
 		WGPort:       listenPort,
 		MTU:          iface.DefaultMTU,
--- a/client/internal/routemanager/systemops/systemops_linux.go
+++ b/client/internal/routemanager/systemops/systemops_linux.go
@@ -53,6 +53,8 @@ const (

 	// ipv4ForwardingPath is the path to the file containing the IP forwarding setting.
 	ipv4ForwardingPath = "net.ipv4.ip_forward"
+	// ipv6ForwardingPath is the path to the file containing the IPv6 forwarding setting.
+	ipv6ForwardingPath = "net.ipv6.conf.all.forwarding"
 )

 var ErrTableIDExists = errors.New("ID exists with different name")
@@ -185,10 +187,11 @@ func (r *SysOps) AddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {

 	// No need to check if routes exist as main table takes precedence over the VPN table via Rule 1

-	// TODO remove this once we have ipv6 support
-	if prefix == vars.Defaultv4 {
+	// When the peer has no IPv6, blackhole v6 to prevent leaking.
+	// When IPv6 is enabled, management sends ::/0 as a separate route.
+	if prefix == vars.Defaultv4 && (r.wgInterface == nil || !r.wgInterface.Address().HasIPv6()) {
 		if err := addUnreachableRoute(vars.Defaultv6, NetbirdVPNTableID); err != nil {
-			return fmt.Errorf("add blackhole: %w", err)
+			return fmt.Errorf("add v6 blackhole: %w", err)
 		}
 	}
 	if err := addRoute(prefix, Nexthop{netip.Addr{}, intf}, NetbirdVPNTableID); err != nil {
@@ -206,10 +209,9 @@ func (r *SysOps) RemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error
 		return r.genericRemoveVPNRoute(prefix, intf)
 	}

-	// TODO remove this once we have ipv6 support
-	if prefix == vars.Defaultv4 {
+	if prefix == vars.Defaultv4 && (r.wgInterface == nil || !r.wgInterface.Address().HasIPv6()) {
 		if err := removeUnreachableRoute(vars.Defaultv6, NetbirdVPNTableID); err != nil {
-			return fmt.Errorf("remove unreachable route: %w", err)
+			log.Debugf("remove v6 blackhole: %v", err)
 		}
 	}
 	if err := removeRoute(prefix, Nexthop{netip.Addr{}, intf}, NetbirdVPNTableID); err != nil {
@@ -762,8 +764,13 @@ func flushRoutes(tableID, family int) error {
 }

 func EnableIPForwarding() error {
-	_, err := sysctl.Set(ipv4ForwardingPath, 1, false)
-	return err
+	if _, err := sysctl.Set(ipv4ForwardingPath, 1, false); err != nil {
+		return err
+	}
+	if _, err := sysctl.Set(ipv6ForwardingPath, 1, false); err != nil {
+		log.Warnf("failed to enable IPv6 forwarding: %v", err)
+	}
+	return nil
 }

 // entryExists checks if the specified ID or name already exists in the rt_tables file