diff --git a/client/firewall/uspfilter/filter.go b/client/firewall/uspfilter/filter.go index 3355256f2..7120d7d64 100644 --- a/client/firewall/uspfilter/filter.go +++ b/client/firewall/uspfilter/filter.go @@ -738,8 +738,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool { return false } - translated := m.translateInboundReverse(packetData, d) - if translated { + if translated := m.translateInboundReverse(packetData, d); translated { // Re-decode after translation to get original addresses if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil { m.logger.Error("Failed to re-decode packet after reverse DNAT: %v", err) diff --git a/client/firewall/uspfilter/nat.go b/client/firewall/uspfilter/nat.go index 686b62f98..4539f7da5 100644 --- a/client/firewall/uspfilter/nat.go +++ b/client/firewall/uspfilter/nat.go @@ -2,6 +2,7 @@ package uspfilter import ( "encoding/binary" + "errors" "fmt" "net/netip" @@ -10,6 +11,8 @@ import ( firewall "github.com/netbirdio/netbird/client/firewall/manager" ) +var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT") + func ipv4Checksum(header []byte) uint16 { if len(header) < 20 { return 0 @@ -245,7 +248,7 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool { // rewritePacketDestination replaces destination IP in the packet func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP netip.Addr) error { if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() { - return fmt.Errorf("only IPv4 supported") + return ErrIPv4Only } var oldDst [4]byte @@ -280,7 +283,7 @@ func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP // rewritePacketSource replaces the source IP address in the packet func (m *Manager) rewritePacketSource(packetData []byte, d *decoder, newIP netip.Addr) error { if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() { - return fmt.Errorf("only IPv4 supported") + return ErrIPv4Only } var oldSrc [4]byte