Fix routes allow acl rule (#940)

Modify rules in iptables and nftables to accept all traffic not from netbird network but routed through it.
2026-04-18 16:26:38 +00:00 · 2023-06-07 17:24:27 +04:00
parent 93608ae163
commit ef59001459
9 changed files with 245 additions and 39 deletions
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -14,9 +14,10 @@ import (
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 )

-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMapper interface {
+// IFaceMapper defines subset methods of interface required for manager
+type IFaceMapper interface {
 	Name() string
+	Address() iface.WGAddress
 	IsUserspaceBind() bool
 	SetFiltering(iface.PacketFilter) error
 }
--- a/client/internal/acl/manager_create.go
+++ b/client/internal/acl/manager_create.go
@@ -11,7 +11,7 @@ import (
 )

 // Create creates a firewall manager instance
-func Create(iface iFaceMapper) (manager *DefaultManager, err error) {
+func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
 	if iface.IsUserspaceBind() {
 		// use userspace packet filtering firewall
 		fm, err := uspfilter.Create(iface)
--- a/client/internal/acl/manager_create_linux.go
+++ b/client/internal/acl/manager_create_linux.go
@@ -10,7 +10,7 @@ import (
 )

 // Create creates a firewall manager instance for the Linux
-func Create(iface iFaceMapper) (manager *DefaultManager, err error) {
+func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
 	var fm firewall.Manager
 	if iface.IsUserspaceBind() {
 		// use userspace packet filtering firewall
@@ -19,10 +19,10 @@ func Create(iface iFaceMapper) (manager *DefaultManager, err error) {
 			return nil, err
 		}
 	} else {
-		if fm, err = nftables.Create(iface.Name()); err != nil {
+		if fm, err = nftables.Create(iface); err != nil {
 			log.Debugf("failed to create nftables manager: %s", err)
 			// fallback to iptables
-			if fm, err = iptables.Create(iface.Name()); err != nil {
+			if fm, err = iptables.Create(iface); err != nil {
 				log.Errorf("failed to create iptables manager: %s", err)
 				return nil, err
 			}
--- a/client/internal/acl/mocks/README.md
+++ b/client/internal/acl/mocks/README.md
@@ -0,0 +1,7 @@
+## Mocks
+
+To generate (or refresh) mocks from acl package please install [mockgen](https://github.com/golang/mock).
+Run this command from the `./client/internal/acl` folder to update iface mapper interface mock:
+```bash
+mockgen -destination mocks/iface_mapper.go -package mocks . IFaceMapper
+```
--- a/client/internal/acl/mocks/iface_mapper.go
+++ b/client/internal/acl/mocks/iface_mapper.go
@@ -34,6 +34,20 @@ func (m *MockIFaceMapper) EXPECT() *MockIFaceMapperMockRecorder {
 	return m.recorder
 }

+// Address mocks base method.
+func (m *MockIFaceMapper) Address() iface.WGAddress {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Address")
+	ret0, _ := ret[0].(iface.WGAddress)
+	return ret0
+}
+
+// Address indicates an expected call of Address.
+func (mr *MockIFaceMapperMockRecorder) Address() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Address", reflect.TypeOf((*MockIFaceMapper)(nil).Address))
+}
+
 // IsUserspaceBind mocks base method.
 func (m *MockIFaceMapper) IsUserspaceBind() bool {
 	m.ctrl.T.Helper()