Add IPv6 support to SSH server, client config, and netflow logger

2026-04-22 18:26:41 +00:00 · 2026-03-24 12:06:58 +01:00
parent 71962f88f8
commit d81cd5d154
10 changed files with 136 additions and 44 deletions
--- a/client/ssh/config/manager.go
+++ b/client/ssh/config/manager.go
@@ -3,6 +3,7 @@ package config
 import (
 	"context"
 	"fmt"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -91,7 +92,8 @@ type Manager struct {
 // PeerSSHInfo represents a peer's SSH configuration information
 type PeerSSHInfo struct {
 	Hostname string
-	IP       string
+	IP       netip.Addr
+	IPv6     netip.Addr
 	FQDN     string
 }

@@ -211,8 +213,11 @@ func (m *Manager) buildPeerConfig(allHostPatterns []string) (string, error) {

 func (m *Manager) buildHostPatterns(peer PeerSSHInfo) []string {
 	var hostPatterns []string
-	if peer.IP != "" {
-		hostPatterns = append(hostPatterns, peer.IP)
+	if peer.IP.IsValid() {
+		hostPatterns = append(hostPatterns, peer.IP.String())
+	}
+	if peer.IPv6.IsValid() {
+		hostPatterns = append(hostPatterns, peer.IPv6.String())
 	}
 	if peer.FQDN != "" {
 		hostPatterns = append(hostPatterns, peer.FQDN)
--- a/client/ssh/config/manager_test.go
+++ b/client/ssh/config/manager_test.go
@@ -2,6 +2,7 @@ package config

 import (
 	"fmt"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -28,12 +29,12 @@ func TestManager_SetupSSHClientConfig(t *testing.T) {
 	peers := []PeerSSHInfo{
 		{
 			Hostname: "peer1",
-			IP:       "100.125.1.1",
+			IP:       netip.MustParseAddr("100.125.1.1"),
 			FQDN:     "peer1.nb.internal",
 		},
 		{
 			Hostname: "peer2",
-			IP:       "100.125.1.2",
+			IP:       netip.MustParseAddr("100.125.1.2"),
 			FQDN:     "peer2.nb.internal",
 		},
 	}
@@ -101,7 +102,7 @@ func TestManager_PeerLimit(t *testing.T) {
 	for i := 0; i < MaxPeersForSSHConfig+10; i++ {
 		peers = append(peers, PeerSSHInfo{
 			Hostname: fmt.Sprintf("peer%d", i),
-			IP:       fmt.Sprintf("100.125.1.%d", i%254+1),
+			IP:       netip.MustParseAddr(fmt.Sprintf("100.125.1.%d", i%254+1)),
 			FQDN:     fmt.Sprintf("peer%d.nb.internal", i),
 		})
 	}
@@ -136,7 +137,7 @@ func TestManager_ForcedSSHConfig(t *testing.T) {
 	for i := 0; i < MaxPeersForSSHConfig+10; i++ {
 		peers = append(peers, PeerSSHInfo{
 			Hostname: fmt.Sprintf("peer%d", i),
-			IP:       fmt.Sprintf("100.125.1.%d", i%254+1),
+			IP:       netip.MustParseAddr(fmt.Sprintf("100.125.1.%d", i%254+1)),
 			FQDN:     fmt.Sprintf("peer%d.nb.internal", i),
 		})
 	}
--- a/client/ssh/server/server.go
+++ b/client/ssh/server/server.go
@@ -137,10 +137,11 @@ type sessionState struct {
 }

 type Server struct {
-	sshServer  *ssh.Server
-	listener   net.Listener
-	mu         sync.RWMutex
-	hostKeyPEM []byte
+	sshServer      *ssh.Server
+	listener       net.Listener
+	extraListeners []net.Listener
+	mu             sync.RWMutex
+	hostKeyPEM     []byte

 	// sessions tracks active SSH sessions (shell, command, SFTP).
 	// These are created when a client opens a session channel and requests shell/exec/subsystem.
@@ -254,6 +255,35 @@ func (s *Server) Start(ctx context.Context, addr netip.AddrPort) error {
 	return nil
 }

+// AddListener starts serving SSH on an additional address (e.g. IPv6).
+// Must be called after Start.
+func (s *Server) AddListener(ctx context.Context, addr netip.AddrPort) error {
+	s.mu.Lock()
+	srv := s.sshServer
+	if srv == nil {
+		s.mu.Unlock()
+		return errors.New("SSH server is not running")
+	}
+
+	ln, addrDesc, err := s.createListener(ctx, addr)
+	if err != nil {
+		s.mu.Unlock()
+		return fmt.Errorf("create listener: %w", err)
+	}
+
+	s.extraListeners = append(s.extraListeners, ln)
+	s.mu.Unlock()
+
+	log.Infof("SSH server also listening on %s", addrDesc)
+
+	go func() {
+		if err := srv.Serve(ln); err != nil && !errors.Is(err, ssh.ErrServerClosed) {
+			log.Errorf("SSH server error on %s: %v", addrDesc, err)
+		}
+	}()
+	return nil
+}
+
 func (s *Server) createListener(ctx context.Context, addr netip.AddrPort) (net.Listener, string, error) {
 	if s.netstackNet != nil {
 		ln, err := s.netstackNet.ListenTCPAddrPort(addr)
@@ -294,6 +324,13 @@ func (s *Server) Stop() error {
 		log.Debugf("close SSH server: %v", err)
 	}

+	for _, ln := range s.extraListeners {
+		if err := ln.Close(); err != nil {
+			log.Debugf("close extra SSH listener: %v", err)
+		}
+	}
+	s.extraListeners = nil
+
 	s.sshServer = nil
 	s.listener = nil

@@ -746,11 +783,10 @@ func (s *Server) findSessionKeyByContext(ctx ssh.Context) sessionKey {

 func (s *Server) connectionValidator(_ ssh.Context, conn net.Conn) net.Conn {
 	s.mu.RLock()
-	netbirdNetwork := s.wgAddress.Network
-	localIP := s.wgAddress.IP
+	wgAddr := s.wgAddress
 	s.mu.RUnlock()

-	if !netbirdNetwork.IsValid() || !localIP.IsValid() {
+	if !wgAddr.Network.IsValid() || !wgAddr.IP.IsValid() {
 		return conn
 	}

@@ -766,14 +802,17 @@ func (s *Server) connectionValidator(_ ssh.Context, conn net.Conn) net.Conn {
 		log.Warnf("SSH connection rejected: invalid remote IP %s", tcpAddr.IP)
 		return nil
 	}
+	remoteIP = remoteIP.Unmap()

 	// Block connections from our own IP (prevent local apps from connecting to ourselves)
-	if remoteIP == localIP {
+	if remoteIP == wgAddr.IP || wgAddr.IPv6.IsValid() && remoteIP == wgAddr.IPv6 {
 		log.Warnf("SSH connection rejected from own IP %s", remoteIP)
 		return nil
 	}

-	if !netbirdNetwork.Contains(remoteIP) {
+	inV4 := wgAddr.Network.Contains(remoteIP)
+	inV6 := wgAddr.IPv6Net.IsValid() && wgAddr.IPv6Net.Contains(remoteIP)
+	if !inV4 && !inV6 {
 		log.Warnf("SSH connection rejected from non-NetBird IP %s", remoteIP)
 		return nil
 	}