Feat linux firewall support (#805)

Update the client's engine to apply firewall rules received from the manager (results of ACL policy).
2026-04-18 08:16:39 +00:00 · 2023-05-29 18:00:18 +04:00
parent 2eb9a97fee
commit ba7a39a4fc
51 changed files with 4143 additions and 1013 deletions
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -0,0 +1,209 @@
+package acl
+
+import (
+	"fmt"
+	"net"
+	"strconv"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/iface"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+)
+
+// iFaceMapper defines subset methods of interface required for manager
+type iFaceMapper interface {
+	Name() string
+	IsUserspaceBind() bool
+	SetFiltering(iface.PacketFilter) error
+}
+
+// Manager is a ACL rules manager
+type Manager interface {
+	ApplyFiltering(rules []*mgmProto.FirewallRule)
+	Stop()
+}
+
+// DefaultManager uses firewall manager to handle
+type DefaultManager struct {
+	manager    firewall.Manager
+	rulesPairs map[string][]firewall.Rule
+	mutex      sync.Mutex
+}
+
+// ApplyFiltering firewall rules to the local firewall manager processed by ACL policy.
+func (d *DefaultManager) ApplyFiltering(rules []*mgmProto.FirewallRule) {
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+
+	if d.manager == nil {
+		log.Debug("firewall manager is not supported, skipping firewall rules")
+		return
+	}
+
+	var (
+		applyFailed  bool
+		newRulePairs = make(map[string][]firewall.Rule)
+	)
+	for _, r := range rules {
+		rules, err := d.protoRuleToFirewallRule(r)
+		if err != nil {
+			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)
+			applyFailed = true
+			break
+		}
+		newRulePairs[rules[0].GetRuleID()] = rules
+	}
+	if applyFailed {
+		log.Error("failed to apply firewall rules, rollback ACL to previous state")
+		for _, rules := range newRulePairs {
+			for _, rule := range rules {
+				if err := d.manager.DeleteRule(rule); err != nil {
+					log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.GetRuleID(), err)
+					continue
+				}
+			}
+		}
+		return
+	}
+
+	for pairID, rules := range d.rulesPairs {
+		if _, ok := newRulePairs[pairID]; !ok {
+			for _, rule := range rules {
+				if err := d.manager.DeleteRule(rule); err != nil {
+					log.Errorf("failed to delete firewall rule: %v", err)
+					continue
+				}
+			}
+			delete(d.rulesPairs, pairID)
+		}
+	}
+	d.rulesPairs = newRulePairs
+}
+
+// Stop ACL controller and clear firewall state
+func (d *DefaultManager) Stop() {
+	d.mutex.Lock()
+	defer d.mutex.Unlock()
+
+	if err := d.manager.Reset(); err != nil {
+		log.WithError(err).Error("reset firewall state")
+	}
+}
+
+func (d *DefaultManager) protoRuleToFirewallRule(r *mgmProto.FirewallRule) ([]firewall.Rule, error) {
+	ip := net.ParseIP(r.PeerIP)
+	if ip == nil {
+		return nil, fmt.Errorf("invalid IP address, skipping firewall rule")
+	}
+
+	protocol := convertToFirewallProtocol(r.Protocol)
+	if protocol == firewall.ProtocolUnknown {
+		return nil, fmt.Errorf("invalid protocol type: %d, skipping firewall rule", r.Protocol)
+	}
+
+	action := convertFirewallAction(r.Action)
+	if action == firewall.ActionUnknown {
+		return nil, fmt.Errorf("invalid action type: %d, skipping firewall rule", r.Action)
+	}
+
+	var port *firewall.Port
+	if r.Port != "" {
+		value, err := strconv.Atoi(r.Port)
+		if err != nil {
+			return nil, fmt.Errorf("invalid port, skipping firewall rule")
+		}
+		port = &firewall.Port{
+			Values: []int{value},
+		}
+	}
+
+	var rules []firewall.Rule
+	var err error
+	switch r.Direction {
+	case mgmProto.FirewallRule_IN:
+		rules, err = d.addInRules(ip, protocol, port, action, "")
+	case mgmProto.FirewallRule_OUT:
+		rules, err = d.addOutRules(ip, protocol, port, action, "")
+	default:
+		return nil, fmt.Errorf("invalid direction, skipping firewall rule")
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	d.rulesPairs[rules[0].GetRuleID()] = rules
+	return rules, nil
+}
+
+func (d *DefaultManager) addInRules(ip net.IP, protocol firewall.Protocol, port *firewall.Port, action firewall.Action, comment string) ([]firewall.Rule, error) {
+	var rules []firewall.Rule
+	rule, err := d.manager.AddFiltering(ip, protocol, nil, port, firewall.RuleDirectionIN, action, comment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
+	}
+	rules = append(rules, rule)
+
+	if shouldSkipInvertedRule(protocol) {
+		return rules, nil
+	}
+
+	rule, err = d.manager.AddFiltering(ip, protocol, port, nil, firewall.RuleDirectionOUT, action, comment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
+	}
+
+	return append(rules, rule), nil
+}
+
+func (d *DefaultManager) addOutRules(ip net.IP, protocol firewall.Protocol, port *firewall.Port, action firewall.Action, comment string) ([]firewall.Rule, error) {
+	var rules []firewall.Rule
+	rule, err := d.manager.AddFiltering(ip, protocol, nil, port, firewall.RuleDirectionOUT, action, comment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
+	}
+	rules = append(rules, rule)
+
+	if shouldSkipInvertedRule(protocol) {
+		return rules, nil
+	}
+
+	rule, err = d.manager.AddFiltering(ip, protocol, port, nil, firewall.RuleDirectionIN, action, comment)
+	if err != nil {
+		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
+	}
+
+	return append(rules, rule), nil
+}
+func convertToFirewallProtocol(protocol mgmProto.FirewallRuleProtocol) firewall.Protocol {
+	switch protocol {
+	case mgmProto.FirewallRule_TCP:
+		return firewall.ProtocolTCP
+	case mgmProto.FirewallRule_UDP:
+		return firewall.ProtocolUDP
+	case mgmProto.FirewallRule_ICMP:
+		return firewall.ProtocolICMP
+	case mgmProto.FirewallRule_ALL:
+		return firewall.ProtocolALL
+	default:
+		return firewall.ProtocolUnknown
+	}
+}
+
+func shouldSkipInvertedRule(protocol firewall.Protocol) bool {
+	return protocol == firewall.ProtocolALL || protocol == firewall.ProtocolICMP
+}
+
+func convertFirewallAction(action mgmProto.FirewallRuleAction) firewall.Action {
+	switch action {
+	case mgmProto.FirewallRule_ACCEPT:
+		return firewall.ActionAccept
+	case mgmProto.FirewallRule_DROP:
+		return firewall.ActionDrop
+	default:
+		return firewall.ActionUnknown
+	}
+}
--- a/client/internal/acl/manager_create.go
+++ b/client/internal/acl/manager_create.go
@@ -0,0 +1,27 @@
+//go:build !linux
+
+package acl
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/uspfilter"
+)
+
+// Create creates a firewall manager instance
+func Create(iface iFaceMapper) (manager *DefaultManager, err error) {
+	if iface.IsUserspaceBind() {
+		// use userspace packet filtering firewall
+		fm, err := uspfilter.Create(iface)
+		if err != nil {
+			return nil, err
+		}
+		return &DefaultManager{
+			manager:    fm,
+			rulesPairs: make(map[string][]firewall.Rule),
+		}, nil
+	}
+	return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
+}
--- a/client/internal/acl/manager_create_linux.go
+++ b/client/internal/acl/manager_create_linux.go
@@ -0,0 +1,36 @@
+package acl
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/iptables"
+	"github.com/netbirdio/netbird/client/firewall/nftables"
+	"github.com/netbirdio/netbird/client/firewall/uspfilter"
+)
+
+// Create creates a firewall manager instance for the Linux
+func Create(iface iFaceMapper) (manager *DefaultManager, err error) {
+	var fm firewall.Manager
+	if iface.IsUserspaceBind() {
+		// use userspace packet filtering firewall
+		if fm, err = uspfilter.Create(iface); err != nil {
+			log.Debugf("failed to create userspace filtering firewall: %s", err)
+			return nil, err
+		}
+	} else {
+		if fm, err = iptables.Create(iface.Name()); err != nil {
+			log.Debugf("failed to create iptables manager: %s", err)
+			// fallback to nftables
+			if fm, err = nftables.Create(iface.Name()); err != nil {
+				log.Errorf("failed to create nftables manager: %s", err)
+				return nil, err
+			}
+		}
+	}
+
+	return &DefaultManager{
+		manager:    fm,
+		rulesPairs: make(map[string][]firewall.Rule),
+	}, nil
+}
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -0,0 +1,92 @@
+package acl
+
+import (
+	"runtime"
+	"testing"
+
+	"github.com/golang/mock/gomock"
+
+	"github.com/netbirdio/netbird/client/internal/acl/mocks"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
+)
+
+func TestDefaultManager(t *testing.T) {
+	// TODO: enable when other platform will be added
+	if runtime.GOOS != "linux" {
+		t.Skipf("ACL manager not supported in the: %s", runtime.GOOS)
+		return
+	}
+
+	fwRules := []*mgmProto.FirewallRule{
+		{
+			PeerIP:    "10.93.0.1",
+			Direction: mgmProto.FirewallRule_OUT,
+			Action:    mgmProto.FirewallRule_ACCEPT,
+			Protocol:  mgmProto.FirewallRule_TCP,
+			Port:      "80",
+		},
+		{
+			PeerIP:    "10.93.0.2",
+			Direction: mgmProto.FirewallRule_OUT,
+			Action:    mgmProto.FirewallRule_DROP,
+			Protocol:  mgmProto.FirewallRule_UDP,
+			Port:      "53",
+		},
+	}
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	iface := mocks.NewMockIFaceMapper(ctrl)
+	iface.EXPECT().IsUserspaceBind().Return(false)
+	iface.EXPECT().Name().Return("lo")
+
+	// we receive one rule from the management so for testing purposes ignore it
+	acl, err := Create(iface)
+	if err != nil {
+		t.Errorf("create ACL manager: %v", err)
+		return
+	}
+	defer acl.Stop()
+
+	t.Run("apply firewall rules", func(t *testing.T) {
+		acl.ApplyFiltering(fwRules)
+
+		if len(acl.rulesPairs) != 2 {
+			t.Errorf("firewall rules not applied: %v", acl.rulesPairs)
+			return
+		}
+	})
+
+	t.Run("add extra rules", func(t *testing.T) {
+		// remove first rule
+		fwRules = fwRules[1:]
+		fwRules = append(fwRules, &mgmProto.FirewallRule{
+			PeerIP:    "10.93.0.3",
+			Direction: mgmProto.FirewallRule_IN,
+			Action:    mgmProto.FirewallRule_DROP,
+			Protocol:  mgmProto.FirewallRule_ICMP,
+		})
+
+		existedRulesID := map[string]struct{}{}
+		for id := range acl.rulesPairs {
+			existedRulesID[id] = struct{}{}
+		}
+
+		acl.ApplyFiltering(fwRules)
+
+		// we should have one old and one new rule in the existed rules
+		if len(acl.rulesPairs) != 2 {
+			t.Errorf("firewall rules not applied")
+			return
+		}
+
+		// check that old rules was removed
+		for id := range existedRulesID {
+			if _, ok := acl.rulesPairs[id]; ok {
+				t.Errorf("old rule was not removed")
+				return
+			}
+		}
+	})
+}
--- a/client/internal/acl/mocks/iface_mapper.go
+++ b/client/internal/acl/mocks/iface_mapper.go
@@ -0,0 +1,77 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/netbirdio/netbird/client/internal/acl (interfaces: IFaceMapper)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+	iface "github.com/netbirdio/netbird/iface"
+)
+
+// MockIFaceMapper is a mock of IFaceMapper interface.
+type MockIFaceMapper struct {
+	ctrl     *gomock.Controller
+	recorder *MockIFaceMapperMockRecorder
+}
+
+// MockIFaceMapperMockRecorder is the mock recorder for MockIFaceMapper.
+type MockIFaceMapperMockRecorder struct {
+	mock *MockIFaceMapper
+}
+
+// NewMockIFaceMapper creates a new mock instance.
+func NewMockIFaceMapper(ctrl *gomock.Controller) *MockIFaceMapper {
+	mock := &MockIFaceMapper{ctrl: ctrl}
+	mock.recorder = &MockIFaceMapperMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockIFaceMapper) EXPECT() *MockIFaceMapperMockRecorder {
+	return m.recorder
+}
+
+// IsUserspaceBind mocks base method.
+func (m *MockIFaceMapper) IsUserspaceBind() bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "IsUserspaceBind")
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// IsUserspaceBind indicates an expected call of IsUserspaceBind.
+func (mr *MockIFaceMapperMockRecorder) IsUserspaceBind() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsUserspaceBind", reflect.TypeOf((*MockIFaceMapper)(nil).IsUserspaceBind))
+}
+
+// Name mocks base method.
+func (m *MockIFaceMapper) Name() string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Name")
+	ret0, _ := ret[0].(string)
+	return ret0
+}
+
+// Name indicates an expected call of Name.
+func (mr *MockIFaceMapperMockRecorder) Name() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Name", reflect.TypeOf((*MockIFaceMapper)(nil).Name))
+}
+
+// SetFiltering mocks base method.
+func (m *MockIFaceMapper) SetFiltering(arg0 iface.PacketFilter) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetFiltering", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetFiltering indicates an expected call of SetFiltering.
+func (mr *MockIFaceMapperMockRecorder) SetFiltering(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetFiltering", reflect.TypeOf((*MockIFaceMapper)(nil).SetFiltering), arg0)
+}