[client] Add rootless container and fix client routes in netstack mode (#3150)

2026-04-18 16:26:38 +00:00 · 2025-01-06 14:16:31 +01:00
parent 668aead4c8
commit 6848e1e128
5 changed files with 116 additions and 12 deletions
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -17,6 +17,7 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/configurer"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -104,22 +105,43 @@ func NewManager(
 		peerStore:        peerStore,
 	}

-	dm.routeRefCounter = refcounter.New(
+	dm.setupRefCounters()
+
+	if runtime.GOOS == "android" {
+		cr := dm.initialClientRoutes(initialRoutes)
+		dm.notifier.SetInitialClientRoutes(cr)
+	}
+	return dm
+}
+
+func (m *DefaultManager) setupRefCounters() {
+	m.routeRefCounter = refcounter.New(
 		func(prefix netip.Prefix, _ struct{}) (struct{}, error) {
-			return struct{}{}, sysOps.AddVPNRoute(prefix, wgInterface.ToInterface())
+			return struct{}{}, m.sysOps.AddVPNRoute(prefix, m.wgInterface.ToInterface())
 		},
 		func(prefix netip.Prefix, _ struct{}) error {
-			return sysOps.RemoveVPNRoute(prefix, wgInterface.ToInterface())
+			return m.sysOps.RemoveVPNRoute(prefix, m.wgInterface.ToInterface())
 		},
 	)

-	dm.allowedIPsRefCounter = refcounter.New(
+	if netstack.IsEnabled() {
+		m.routeRefCounter = refcounter.New(
+			func(netip.Prefix, struct{}) (struct{}, error) {
+				return struct{}{}, refcounter.ErrIgnore
+			},
+			func(netip.Prefix, struct{}) error {
+				return nil
+			},
+		)
+	}
+
+	m.allowedIPsRefCounter = refcounter.New(
 		func(prefix netip.Prefix, peerKey string) (string, error) {
 			// save peerKey to use it in the remove function
-			return peerKey, wgInterface.AddAllowedIP(peerKey, prefix.String())
+			return peerKey, m.wgInterface.AddAllowedIP(peerKey, prefix.String())
 		},
 		func(prefix netip.Prefix, peerKey string) error {
-			if err := wgInterface.RemoveAllowedIP(peerKey, prefix.String()); err != nil {
+			if err := m.wgInterface.RemoveAllowedIP(peerKey, prefix.String()); err != nil {
 				if !errors.Is(err, configurer.ErrPeerNotFound) && !errors.Is(err, configurer.ErrAllowedIPNotFound) {
 					return err
 				}
@@ -128,12 +150,6 @@ func NewManager(
 			return nil
 		},
 	)
-
-	if runtime.GOOS == "android" {
-		cr := dm.initialClientRoutes(initialRoutes)
-		dm.notifier.SetInitialClientRoutes(cr)
-	}
-	return dm
 }

 // Init sets up the routing
--- a/client/internal/routemanager/systemops/systemops_generic.go
+++ b/client/internal/routemanager/systemops/systemops_generic.go
@@ -17,6 +17,7 @@ import (

 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/routemanager/util"
 	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
@@ -62,6 +63,17 @@ func (r *SysOps) setupRefCounter(initAddresses []net.IP, stateManager *statemana
 		r.removeFromRouteTable,
 	)

+	if netstack.IsEnabled() {
+		refCounter = refcounter.New(
+			func(netip.Prefix, struct{}) (Nexthop, error) {
+				return Nexthop{}, refcounter.ErrIgnore
+			},
+			func(netip.Prefix, Nexthop) error {
+				return nil
+			},
+		)
+	}
+
 	r.refCounter = refCounter

 	return r.setupHooks(initAddresses, stateManager)