Remove default protocol for migrated rules policy

client/firewall/iptables/manager_linux.go

@@ -27,6 +27,9 @@ var pingSupportDefaultRule = []string{
 	"-p", "icmp", "--icmp-type", "echo-request", "-j",
 	"ACCEPT", "-m", "comment", "--comment", "Allow pings from the Netbird Devices"}
 
+// dropAllDefaultRule in the Netbird chain
+var dropAllDefaultRule = []string{"-j", "DROP"}
+
 // Manager of iptables firewall
 type Manager struct {
 	mutex sync.Mutex
@@ -184,7 +187,9 @@ func (m *Manager) filterRuleSpecs(
 	case fw.DirectionDst:
 		specs = append(specs, "-d", ip.String())
 	}
-	specs = append(specs, "-p", protocol)
+	if protocol != "" {
+		specs = append(specs, "-p", protocol)
+	}
 	if port != "" {
 		specs = append(specs, "--dport", port)
 	}
@@ -224,6 +229,10 @@ func (m *Manager) client(ip net.IP) (*iptables.IPTables, error) {
 			return nil, fmt.Errorf("failed to create default ping allow rule: %w", err)
 		}
 
+		if err := client.AppendUnique("filter", ChainFilterName, dropAllDefaultRule...); err != nil {
+			return nil, fmt.Errorf("failed to create default drop all in netbird chain: %w", err)
+		}
+
 		specs := append([]string{"-i", m.wgIfaceName}, jumpNetbirdDefaultRule...)
 		if err := client.AppendUnique("filter", "INPUT", specs...); err != nil {
 			return nil, fmt.Errorf("failed to create chain: %w", err)

client/internal/engine.go

@@ -1098,9 +1098,6 @@ func (e *Engine) protoRuleToFirewallRule(r *mgmProto.FirewallRule) firewall.Rule
 		protocol = firewall.ProtocolUDP
 	case "icmp":
 		protocol = firewall.ProtocolICMP
-	default:
-		log.Errorf("invalid protocol, skipping firewall rule: %q", r.Protocol)
-		return nil
 	}
 
 	var direction firewall.Direction

management/server/policy.go

@@ -228,13 +228,6 @@ func (f *FirewallRule) parseFromRegoResult(value interface{}) error {
 	f.Direction = direction
 	f.Action = action
 
-	// TODO: remove this after migration from rules
-	//
-	// by default if protocol not present use TCP
-	if f.Protocol == "" {
-		f.Protocol = "tcp"
-	}
-
 	return nil
 }
 

management/server/policy_test.go

@@ -53,12 +53,12 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 	assert.Contains(t, peers, account.Peers["peer3"])
 
 	epectedFirewallRules := []*FirewallRule{
-		{PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "dst", Action: "accept", Protocol: "tcp", Port: ""},
+		{PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "dst", Action: "accept", Port: ""},
-		{PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "dst", Action: "accept", Protocol: "tcp", Port: ""},
+		{PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "dst", Action: "accept", Port: ""},
-		{PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "dst", Action: "accept", Protocol: "tcp", Port: ""},
+		{PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "dst", Action: "accept", Port: ""},
-		{PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "src", Action: "accept", Protocol: "tcp", Port: ""},
+		{PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "src", Action: "accept", Port: ""},
-		{PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "src", Action: "accept", Protocol: "tcp", Port: ""},
+		{PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "src", Action: "accept", Port: ""},
-		{PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "src", Action: "accept", Protocol: "tcp", Port: ""},
+		{PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "src", Action: "accept", Port: ""},
 	}
 	assert.Len(t, firewallRules, len(epectedFirewallRules))
 	for i := range firewallRules {