Add IPv6 support to SSH server, client config, and netflow logger

client/internal/netflow/conntrack/conntrack.go

@@ -188,7 +188,7 @@ func (c *ConnTrack) handleEvent(event nfct.Event) {
 	case nftypes.TCP, nftypes.UDP, nftypes.SCTP:
 		srcPort = flow.TupleOrig.Proto.SourcePort
 		dstPort = flow.TupleOrig.Proto.DestinationPort
-	case nftypes.ICMP:
+	case nftypes.ICMP, nftypes.ICMPv6:
 		icmpType = flow.TupleOrig.Proto.ICMPType
 		icmpCode = flow.TupleOrig.Proto.ICMPCode
 	}
@@ -231,8 +231,14 @@ func (c *ConnTrack) relevantFlow(mark uint32, srcIP, dstIP netip.Addr) bool {
 	}
 
 	// fallback if mark rules are not in place
-	wgnet := c.iface.Address().Network
-	return wgnet.Contains(srcIP) || wgnet.Contains(dstIP)
+	addr := c.iface.Address()
+	if addr.Network.Contains(srcIP) || addr.Network.Contains(dstIP) {
+		return true
+	}
+	if addr.IPv6Net.IsValid() {
+		return addr.IPv6Net.Contains(srcIP) || addr.IPv6Net.Contains(dstIP)
+	}
+	return false
 }
 
 // mapRxPackets maps packet counts to RX based on flow direction
@@ -291,17 +297,16 @@ func (c *ConnTrack) inferDirection(mark uint32, srcIP, dstIP netip.Addr) nftypes
 	}
 
 	// fallback if marks are not set
-	wgaddr := c.iface.Address().IP
-	wgnetwork := c.iface.Address().Network
+	addr := c.iface.Address()
 	switch {
-	case wgaddr == srcIP:
+	case addr.IP == srcIP || (addr.IPv6.IsValid() && addr.IPv6 == srcIP):
 		return nftypes.Egress
-	case wgaddr == dstIP:
+	case addr.IP == dstIP || (addr.IPv6.IsValid() && addr.IPv6 == dstIP):
 		return nftypes.Ingress
-	case wgnetwork.Contains(srcIP):
+	case addr.Network.Contains(srcIP) || (addr.IPv6Net.IsValid() && addr.IPv6Net.Contains(srcIP)):
 		// netbird network -> resource network
 		return nftypes.Ingress
-	case wgnetwork.Contains(dstIP):
+	case addr.Network.Contains(dstIP) || (addr.IPv6Net.IsValid() && addr.IPv6Net.Contains(dstIP)):
 		// resource network -> netbird network
 		return nftypes.Egress
 	}

client/internal/netflow/logger/logger.go

@@ -24,15 +24,17 @@ type Logger struct {
 	cancel             context.CancelFunc
 	statusRecorder     *peer.Status
 	wgIfaceNet         netip.Prefix
+	wgIfaceNetV6       netip.Prefix
 	dnsCollection      atomic.Bool
 	exitNodeCollection atomic.Bool
 	Store              types.Store
 }
 
-func New(statusRecorder *peer.Status, wgIfaceIPNet netip.Prefix) *Logger {
+func New(statusRecorder *peer.Status, wgIfaceIPNet, wgIfaceIPNetV6 netip.Prefix) *Logger {
 	return &Logger{
 		statusRecorder: statusRecorder,
 		wgIfaceNet:     wgIfaceIPNet,
+		wgIfaceNetV6:   wgIfaceIPNetV6,
 		Store:          store.NewMemoryStore(),
 	}
 }
@@ -88,11 +90,11 @@ func (l *Logger) startReceiver() {
 			var isSrcExitNode bool
 			var isDestExitNode bool
 
-			if !l.wgIfaceNet.Contains(event.SourceIP) {
+			if !l.isOverlayIP(event.SourceIP) {
 				event.SourceResourceID, isSrcExitNode = l.statusRecorder.CheckRoutes(event.SourceIP)
 			}
 
-			if !l.wgIfaceNet.Contains(event.DestIP) {
+			if !l.isOverlayIP(event.DestIP) {
 				event.DestResourceID, isDestExitNode = l.statusRecorder.CheckRoutes(event.DestIP)
 			}
 
@@ -136,6 +138,10 @@ func (l *Logger) UpdateConfig(dnsCollection, exitNodeCollection bool) {
 	l.exitNodeCollection.Store(exitNodeCollection)
 }
 
+func (l *Logger) isOverlayIP(ip netip.Addr) bool {
+	return l.wgIfaceNet.Contains(ip) || (l.wgIfaceNetV6.IsValid() && l.wgIfaceNetV6.Contains(ip))
+}
+
 func (l *Logger) shouldStore(event *types.EventFields, isExitNode bool) bool {
 	// check dns collection
 	if !l.dnsCollection.Load() && event.Protocol == types.UDP &&

client/internal/netflow/logger/logger_test.go

@@ -12,7 +12,7 @@ import (
 )
 
 func TestStore(t *testing.T) {
-	logger := logger.New(nil, netip.Prefix{})
+	logger := logger.New(nil, netip.Prefix{}, netip.Prefix{})
 	logger.Enable()
 
 	event := types.EventFields{

client/internal/netflow/manager.go

@@ -35,11 +35,12 @@ type Manager struct {
 
 // NewManager creates a new netflow manager
 func NewManager(iface nftypes.IFaceMapper, publicKey []byte, statusRecorder *peer.Status) *Manager {
-	var prefix netip.Prefix
+	var prefix, prefixV6 netip.Prefix
 	if iface != nil {
 		prefix = iface.Address().Network
+		prefixV6 = iface.Address().IPv6Net
 	}
-	flowLogger := logger.New(statusRecorder, prefix)
+	flowLogger := logger.New(statusRecorder, prefix, prefixV6)
 
 	var ct nftypes.ConnTracker
 	if runtime.GOOS == "linux" && iface != nil && !iface.IsUserspaceBind() {
@@ -269,7 +270,7 @@ func toProtoEvent(publicKey []byte, event *nftypes.Event) *proto.FlowEvent {
 		},
 	}
 
-	if event.Protocol == nftypes.ICMP {
+	if event.Protocol == nftypes.ICMP || event.Protocol == nftypes.ICMPv6 {
 		protoEvent.FlowFields.ConnectionInfo = &proto.FlowFields_IcmpInfo{
 			IcmpInfo: &proto.ICMPInfo{
 				IcmpType: uint32(event.ICMPType),

client/internal/netflow/types/types.go

@@ -19,6 +19,7 @@ const (
 	ICMP            = Protocol(1)
 	TCP             = Protocol(6)
 	UDP             = Protocol(17)
+	ICMPv6          = Protocol(58)
 	SCTP            = Protocol(132)
 )
 
@@ -30,6 +31,8 @@ func (p Protocol) String() string {
 		return "TCP"
 	case 17:
 		return "UDP"
+	case 58:
+		return "ICMPv6"
 	case 132:
 		return "SCTP"
 	default: