[client] Mark netbird data plane traffic to identify interface traffic correctly (#3623)

2026-04-18 08:16:39 +00:00 · 2025-04-07 13:14:56 +02:00
parent 1ba1e092ce
commit 6162aeb82d
12 changed files with 270 additions and 67 deletions
--- a/util/net/env_linux.go
+++ b/util/net/env_linux.go
@@ -88,9 +88,21 @@ func CheckFwmarkSupport() bool {
 		log.Warnf("failed to dial with fwmark: %v", err)
 		return false
 	}
-	if err := conn.Close(); err != nil {
-		log.Warnf("failed to close connection: %v", err)

+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Warnf("failed to close connection: %v", err)
+		}
+	}()
+
+	if err := conn.SetWriteDeadline(time.Now().Add(time.Millisecond * 100)); err != nil {
+		log.Warnf("failed to set write deadline: %v", err)
+		return false
+	}
+
+	if _, err := conn.Write([]byte("")); err != nil {
+		log.Warnf("failed to write to fwmark connection: %v", err)
+		return false
 	}

 	return true
--- a/util/net/net.go
+++ b/util/net/net.go
@@ -8,14 +8,40 @@ import (
 )

 const (
-	// NetbirdFwmark is the fwmark value used by Netbird via wireguard
-	NetbirdFwmark = 0x1BD00
+	// ControlPlaneMark is the fwmark value used to mark packets that should not be routed through the NetBird interface to
+	// avoid routing loops.
+	// This includes all control plane traffic (mgmt, signal, flows), relay, ICE/stun/turn and everything that is emitted by the wireguard socket.
+	// It doesn't collide with the other marks, as the others are used for data plane traffic only.
+	ControlPlaneMark = 0x1BD00

-	PreroutingFwmarkRedirected       = 0x1BD01
-	PreroutingFwmarkMasquerade       = 0x1BD11
-	PreroutingFwmarkMasqueradeReturn = 0x1BD12
+	// Data plane marks (0x1BD10 - 0x1BDFF)
+
+	// DataPlaneMarkLower is the lowest value for the data plane range
+	DataPlaneMarkLower = 0x1BD10
+	// DataPlaneMarkUpper is the highest value for the data plane range
+	DataPlaneMarkUpper = 0x1BDFF
+
+	// DataPlaneMarkIn is the mark for inbound data plane traffic.
+	DataPlaneMarkIn = 0x1BD10
+
+	// DataPlaneMarkOut is the mark for outbound data plane traffic.
+	DataPlaneMarkOut = 0x1BD11
+
+	// PreroutingFwmarkRedirected is applied to packets that are were redirected (input -> forward, e.g. by Docker or Podman) for special handling.
+	PreroutingFwmarkRedirected = 0x1BD20
+
+	// PreroutingFwmarkMasquerade is applied to packets that arrive from the NetBird interface and should be masqueraded.
+	PreroutingFwmarkMasquerade = 0x1BD21
+
+	// PreroutingFwmarkMasqueradeReturn is applied to packets that will leave through the NetBird interface and should be masqueraded.
+	PreroutingFwmarkMasqueradeReturn = 0x1BD22
 )

+// IsDataPlaneMark determines if a fwmark is in the data plane range (0x1BD10-0x1BDFF)
+func IsDataPlaneMark(fwmark uint32) bool {
+	return fwmark >= DataPlaneMarkLower && fwmark <= DataPlaneMarkUpper
+}
+
 // ConnectionID provides a globally unique identifier for network connections.
 // It's used to track connections throughout their lifecycle so the close hook can correlate with the dial hook.
 type ConnectionID string
--- a/util/net/net_linux.go
+++ b/util/net/net_linux.go
@@ -51,5 +51,5 @@ func setRawSocketMark(conn syscall.RawConn) error {
 }

 func setSocketOptInt(fd int) error {
-	return syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_MARK, NetbirdFwmark)
+	return syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_MARK, ControlPlaneMark)
 }