[client, management] Add port forwarding (#3275)

Add initial support to ingress ports on the client code. - new types where added - new protocol messages and controller
2026-04-18 08:16:39 +00:00 · 2025-03-09 16:06:43 +01:00
parent ae6b61301c
commit fc1da94520
84 changed files with 4471 additions and 1196 deletions
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -24,8 +24,8 @@ type PeerRule struct {
 	udpHook func([]byte) bool
 }

-// GetRuleID returns the rule id
-func (r *PeerRule) GetRuleID() string {
+// ID returns the rule id
+func (r *PeerRule) ID() string {
 	return r.id
 }

@@ -39,7 +39,7 @@ type RouteRule struct {
 	action      firewall.Action
 }

-// GetRuleID returns the rule id
-func (r *RouteRule) GetRuleID() string {
+// ID returns the rule id
+func (r *RouteRule) ID() string {
 	return r.id
 }
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -42,6 +42,8 @@ const (
 	EnvEnableNetstackLocalForwarding = "NB_ENABLE_NETSTACK_LOCAL_FORWARDING"
 )

+var errNatNotSupported = errors.New("nat not supported with userspace firewall")
+
 // RuleSet is a set of rules grouped by a string key
 type RuleSet map[string]PeerRule

@@ -437,7 +439,7 @@ func (m *Manager) DeleteRouteRule(rule firewall.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

-	ruleID := rule.GetRuleID()
+	ruleID := rule.ID()
 	idx := slices.IndexFunc(m.routeRules, func(r RouteRule) bool {
 		return r.id == ruleID
 	})
@@ -478,6 +480,22 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }

+// AddDNATRule adds a DNAT rule
+func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
+	if m.nativeFirewall == nil {
+		return nil, errNatNotSupported
+	}
+	return m.nativeFirewall.AddDNATRule(rule)
+}
+
+// DeleteDNATRule deletes a DNAT rule
+func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
+	if m.nativeFirewall == nil {
+		return errNatNotSupported
+	}
+	return m.nativeFirewall.DeleteDNATRule(rule)
+}
+
 // DropOutgoing filter outgoing packets
 func (m *Manager) DropOutgoing(packetData []byte) bool {
 	return m.processOutgoingHooks(packetData)
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -135,7 +135,7 @@ func TestManagerDeleteRule(t *testing.T) {
 	}

 	for _, r := range rule2 {
-		if _, ok := m.incomingRules[ip.String()][r.GetRuleID()]; !ok {
+		if _, ok := m.incomingRules[ip.String()][r.ID()]; !ok {
 			t.Errorf("rule2 is not in the incomingRules")
 		}
 	}
@@ -149,7 +149,7 @@ func TestManagerDeleteRule(t *testing.T) {
 	}

 	for _, r := range rule2 {
-		if _, ok := m.incomingRules[ip.String()][r.GetRuleID()]; ok {
+		if _, ok := m.incomingRules[ip.String()][r.ID()]; ok {
 			t.Errorf("rule2 is not in the incomingRules")
 		}
 	}