[client,management] add netflow support to client and update management (#3414)

adds NetFlow functionality to track and log network traffic information between peers, with features including: - Flow logging for TCP, UDP, and ICMP traffic - Integration with connection tracking system - Resource ID tracking in NetFlow events - DNS and exit node collection configuration - Flow API and Redis cache in management - Memory-based flow storage implementation - Kernel conntrack counters and userspace counters - TCP state machine improvements for more accurate tracking - Migration from net.IP to netip.Addr in the userspace firewall
2026-04-18 08:16:39 +00:00 · 2025-03-20 17:05:48 +01:00
parent f51e0b59bd
commit c02e236196
151 changed files with 7118 additions and 2234 deletions
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -1012,6 +1012,7 @@ func (a *Account) connResourcesGenerator(ctx context.Context) (func(*PolicyRule,
 				}

 				fr := FirewallRule{
+					PolicyID:  rule.ID,
 					PeerIP:    peer.IP.String(),
 					Direction: direction,
 					Action:    string(rule.Action),
--- a/management/server/types/firewall_rule.go
+++ b/management/server/types/firewall_rule.go
@@ -20,6 +20,9 @@ const (

 // FirewallRule is a rule of the firewall.
 type FirewallRule struct {
+	// PolicyID is the ID of the policy this rule is derived from
+	PolicyID string
+
 	// PeerIP of the peer
 	PeerIP string

@@ -58,6 +61,7 @@ func generateRouteFirewallRules(ctx context.Context, route *nbroute.Route, rule
 	}

 	baseRule := RouteFirewallRule{
+		PolicyID:     rule.PolicyID,
 		SourceRanges: sourceRanges,
 		Action:       string(rule.Action),
 		Destination:  route.Network.String(),
--- a/management/server/types/peer.go
+++ b/management/server/types/peer.go
@@ -0,0 +1,37 @@
+package types
+
+import (
+	"net"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+)
+
+// PeerSync used as a data object between the gRPC API and Manager on Sync request.
+type PeerSync struct {
+	// WireGuardPubKey is a peers WireGuard public key
+	WireGuardPubKey string
+	// Meta is the system information passed by peer, must be always present
+	Meta nbpeer.PeerSystemMeta
+	// UpdateAccountPeers indicate updating account peers,
+	// which occurs when the peer's metadata is updated
+	UpdateAccountPeers bool
+}
+
+// PeerLogin used as a data object between the gRPC API and Manager on Login request.
+type PeerLogin struct {
+	// WireGuardPubKey is a peers WireGuard public key
+	WireGuardPubKey string
+	// SSHKey is a peer's ssh key. Can be empty (e.g., old version do not provide it, or this feature is disabled)
+	SSHKey string
+	// Meta is the system information passed by peer, must be always present.
+	Meta nbpeer.PeerSystemMeta
+	// UserID indicates that JWT was used to log in, and it was valid. Can be empty when SetupKey is used or auth is not required.
+	UserID string
+	// SetupKey references to a server.SetupKey to log in. Can be empty when UserID is used or auth is not required.
+	SetupKey string
+	// ConnectionIP is the real IP of the peer
+	ConnectionIP net.IP
+
+	// ExtraDNSLabels is a list of extra DNS labels that the peer wants to use
+	ExtraDNSLabels []string
+}
--- a/management/server/types/route_firewall_rule.go
+++ b/management/server/types/route_firewall_rule.go
@@ -6,6 +6,9 @@ import (

 // RouteFirewallRule a firewall rule applicable for a routed network.
 type RouteFirewallRule struct {
+	// PolicyID is the ID of the policy this rule is derived from
+	PolicyID string
+
 	// SourceRanges IP ranges of the routing peers.
 	SourceRanges []string

--- a/management/server/types/settings.go
+++ b/management/server/types/settings.go
@@ -2,8 +2,6 @@ package types

 import (
 	"time"
-
-	"github.com/netbirdio/netbird/management/server/account"
 )

 // Settings represents Account settings structure that can be modified via API and Dashboard
@@ -42,7 +40,7 @@ type Settings struct {
 	RoutingPeerDNSResolutionEnabled bool

 	// Extra is a dictionary of Account settings
-	Extra *account.ExtraSettings `gorm:"embedded;embeddedPrefix:extra_"`
+	Extra *ExtraSettings `gorm:"embedded;embeddedPrefix:extra_"`
 }

 // Copy copies the Settings struct
@@ -66,3 +64,26 @@ func (s *Settings) Copy() *Settings {
 	}
 	return settings
 }
+
+type ExtraSettings struct {
+	// PeerApprovalEnabled enables or disables the need for peers bo be approved by an administrator
+	PeerApprovalEnabled bool
+
+	// IntegratedValidatorGroups list of group IDs to be used with integrated approval configurations
+	IntegratedValidatorGroups []string `gorm:"serializer:json"`
+
+	FlowEnabled              bool `gorm:"-"`
+	FlowPacketCounterEnabled bool `gorm:"-"`
+	FlowENCollectionEnabled  bool `gorm:"-"`
+	FlowDnsCollectionEnabled bool `gorm:"-"`
+}
+
+// Copy copies the ExtraSettings struct
+func (e *ExtraSettings) Copy() *ExtraSettings {
+	var cpGroup []string
+
+	return &ExtraSettings{
+		PeerApprovalEnabled:       e.PeerApprovalEnabled,
+		IntegratedValidatorGroups: append(cpGroup, e.IntegratedValidatorGroups...),
+	}
+}