sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-05-05 08:36:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,944 Commits 384 Branches 327 Tags
5ba9882fd4099d99816ab367752f736eb7da6b60
Commit Graph

144 Commits

Author SHA1 Message Date
Viktor Liu
5ba9882fd4 Split IPv6 extension walker case clause into helpers 2026-05-04 12:29:42 +02:00
Viktor Liu
b2d61f3b0b Use nat table for PREROUTING chain in xtables DNAT fallback 2026-05-04 12:29:14 +02:00
Viktor Liu
6dbe3d82d1 Allow ICMPv6 Parameter Problem through peer ACL 2026-05-04 12:28:53 +02:00
Viktor Liu
63bb85cdf2 Keep v4 NAT rule when v6 mirror fails to preserve partial connectivity 2026-05-04 12:28:36 +02:00
Viktor Liu
e4feefb9a6 Track v4 and v6 invalid-routed block rules so DisableRouting cleans both 2026-05-04 12:28:10 +02:00
Viktor Liu
2a37aca62e Refresh nftables rule maps only when neither cached map locates the rule 2026-05-04 12:25:34 +02:00
Viktor Liu
adb5df258c Walk IPv6 extension headers when intercepting ICMPv6 directly 2026-05-04 12:16:39 +02:00
Viktor Liu
5f3aef3198 Validate IP-declared lengths before synthesizing direct ICMP packet 2026-05-04 12:12:45 +02:00
Viktor Liu
bcf006581d Roll back nftables init via deferred cleanup on any failure 2026-05-04 12:03:05 +02:00
Viktor Liu
006d925d9c Use family-specific protocol token in iptables AddOutputDNAT 2026-05-04 11:57:18 +02:00
Viktor Liu
d8a5bdab88 Guard MSS clamp precompute against MTU smaller than TCP/IP header overhead 2026-05-04 11:52:16 +02:00
Viktor Liu
5cb82b26c8 Decode ICMP error payload using family-specific minimum length 2026-05-04 11:51:49 +02:00
Viktor Liu
61c64caf69 Skip nftables MSS clamping when MTU is below header overhead 2026-05-04 11:50:38 +02:00
Viktor Liu
0ce2d7406a Roll back v4 NAT rule when v6 mirror fails in nftables AddNatRule 2026-05-04 11:50:17 +02:00
Viktor Liu
fc34db6db1 Validate ip6tables-save stderr in nftables compatibility test 2026-05-04 11:49:47 +02:00
Viktor Liu
35332d6aa3 Merge remote-tracking branch 'origin/main' into proto-ipv6-overlay 
# Conflicts:
#	client/firewall/uspfilter/forwarder/endpoint.go
#	client/wasm/cmd/main.go
#	proxy/cmd/proxy/cmd/debug.go
 2026-05-04 11:40:41 +02:00
Viktor Liu
057d651d2e [client, proxy] Add packet capture to debug bundle and CLI (#5891) 2026-05-04 11:28:56 +02:00
Viktor Liu
e19d0c7d77 Merge branch 'main' into proto-ipv6-overlay 
# Conflicts:
#	client/firewall/iptables/manager_linux.go
#	client/firewall/nftables/manager_linux.go
#	client/firewall/nftables/router_linux.go
 2026-04-23 11:48:15 +02:00
Viktor Liu
064ec1c832 [client] Trust wg interface in firewalld to bypass owner-flagged chains (#5928) 2026-04-21 17:57:16 +02:00
Viktor Liu
d2aaadbb8c Replace deprecated iptables --set with --match-set in ACL ipset match 2026-04-20 19:56:45 +02:00
Viktor Liu
cec21034e8 [client] Reconcile external nft accept rules on external changes (#5912) 2026-04-20 10:23:44 +02:00
Viktor Liu
0c9f4706b2 Merge branch 'main' into proto-ipv6-overlay 2026-04-17 05:45:43 +02:00
Viktor Liu
d4c61ed38b [client] Add mangle FORWARD guard to prevent Docker DNAT bypass of ACL rules (#5697) 2026-04-16 14:02:52 +02:00
Viktor Liu
4eed459f27 [client] Fix DNS resolution with userspace WireGuard and kernel firewall (#5873) 2026-04-13 16:23:57 +02:00
Viktor Liu
4fc910031b Check chain existence before deleting NAT OUTPUT jump rule 
The cleanup path tried to delete the jump rule to NETBIRD-NAT-OUTPUT
unconditionally, producing a noisy debug log when the chain was never
created (common for the v6 router when no OutputDNAT rules exist).
Check ChainExists first, consistent with the chain deletion loop
below.
 2026-04-10 13:21:05 +02:00
Viktor Liu
4b298fb53c Fix legacy dynamic route NAT missing v6 duplicate 
The v6 NAT duplication only triggered for DomainSet destinations
(modern DNS path). Legacy dynamic routes use a 0.0.0.0/0 prefix
destination, so the v6 NAT rule was never created.

Add a Dynamic field to RouterPair so the firewall manager can
distinguish dynamic routes from exit nodes (both use /0 prefixes).
Set it from route.IsDynamic() in routeToRouterPair and propagate
through GetInversePair. Both nftables and iptables managers check
pair.Dynamic instead of destination shape.

Also accumulate errors in RemoveNatRule so v6 cleanup is attempted
even if v4 removal fails.
 2026-04-10 13:09:15 +02:00
Viktor Liu
567f36b07e Fix legacy dynamic route NAT missing v6 duplicate 
The legacy DNS resolver path creates NAT pairs with destination
0.0.0.0/0 (a prefix, not a DomainSet). The v6 NAT duplication only
triggered for DomainSets, so legacy dynamic routes never got a v6
NAT rule.

Extract NeedsV6NATDuplicate and ToV6NatPair helpers that detect both
DomainSets and the v4 default wildcard 0.0.0.0/0. Both nftables and
iptables managers now use these for Add/RemoveNatRule, ensuring v6
NAT duplication works for both modern and legacy DNS resolver paths.
 2026-04-10 12:59:35 +02:00
Viktor Liu
2f5d9fc0cd Add IPv6 dispatch for OutputDNAT, fix v6 guard pattern, rename DNAT params 
- Add IPv6 router dispatch to AddOutputDNAT/RemoveOutputDNAT in both
  nftables and iptables managers (was hardcoded to v4 router only).
- Fix all DNAT and AddDNATRule dispatch methods to check Is6() first,
  then error with ErrIPv6NotInitialized if v6 components are missing.
  Previously the hasIPv6() && Is6() pattern silently fell through to
  the v4 router for v6 addresses when v6 was not initialized.
- Add ErrIPv6NotInitialized sentinel error, replace all ad-hoc
  "IPv6 not initialized" format strings across both managers.
- Rename sourcePort/targetPort to originalPort/translatedPort in all
  DNAT method signatures to reflect actual DNAT semantics.
- Remove stale "localAddr must be IPv4" comments from interface.
 2026-04-10 12:32:41 +02:00
Viktor Liu
456298864c Merge remote-tracking branch 'origin/main' into proto-ipv6-overlay 
# Conflicts:
#	client/firewall/iptables/manager_linux.go
#	client/firewall/nftables/manager_linux.go
 2026-04-10 06:51:49 +02:00
Viktor Liu
d2cdc0efec [client] Use native firewall for peer ACLs in userspace WireGuard mode (#5668) 2026-04-10 09:12:13 +08:00
Viktor Liu
f484835292 Use net.JoinHostPort and net.SplitHostPort for IPv6-safe host:port handling (#5836) 2026-04-10 09:10:57 +08:00
Viktor Liu
1c4e5e71d7 [client] Add IPv6 support to ACL manager, USP filter, and forwarder (#5688) 2026-04-09 10:56:08 +02:00
Viktor Liu
cb73b94ffb [client] Add TCP DNS support for local listener (#5758) 2026-04-08 07:40:36 +02:00
Viktor Liu
bb85eee40a [client] Skip down interfaces in network address collection for posture checks (#5768) 2026-04-07 17:56:48 +02:00
Viktor Liu
b9462f5c6b [client] Make raw table initialization non-fatal in firewall managers (#5621) 2026-03-19 17:33:38 +01:00
Zoltan Papp
1c934cca64 Ignore false lint alert (#5370) 2026-02-17 16:07:35 +01:00
Pascal Fischer
f53155562f [management, reverse proxy] Add reverse proxy feature (#5291) 
* implement reverse proxy


---------

Co-authored-by: Alisdair MacLeod <git@alisdairmacleod.co.uk>
Co-authored-by: mlsmaycon <mlsmaycon@gmail.com>
Co-authored-by: Eduard Gert <kontakt@eduardgert.de>
Co-authored-by: Viktor Liu <viktor@netbird.io>
Co-authored-by: Diego Noguês <diego.sure@gmail.com>
Co-authored-by: Diego Noguês <49420+diegocn@users.noreply.github.com>
Co-authored-by: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Co-authored-by: Zoltan Papp <zoltan.pmail@gmail.com>
Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>
 2026-02-13 19:37:43 +01:00
Viktor Liu
3dfa97dcbd [client] Fix stale entries in nftables with no handle (#5272) 2026-02-12 09:15:57 +01:00
Viktor Liu
391221a986 [client] Fix uspfilter duplicate firewall rules (#5269) 2026-02-09 10:14:02 +01:00
Viktor Liu
d4f7df271a [cllient] Don't track ebpf traffic in conntrack (#5166) 2026-01-27 11:04:23 +01:00
Viktor Liu
0ad0c81899 [client] Reorder userspace ACL checks to fail faster for better performance (#4226) 2026-01-09 09:13:04 +01:00
Viktor Liu
e8863fbb55 [client] Add non-root ICMP support to userspace firewall forwarder (#4792) 2026-01-09 02:53:37 +08:00
Zoltan Papp
9c9d8e17d7 Revert "Revert "[relay] Update GO version and QUIC version (#4736)" (#5055)" (#5071) 
This reverts commit 24df442198.
 2026-01-08 18:58:22 +01:00
Maycon Santos
24df442198 Revert "[relay] Update GO version and QUIC version (#4736)" (#5055) 
This reverts commit 8722b79799.
 2026-01-07 19:02:20 +01:00
Zoltan Papp
8722b79799 [relay] Update GO version and QUIC version (#4736) 
- Go 1.25.5
- QUIC 0.55.0
 2026-01-07 16:30:29 +01:00
Nicolas Henneaux
d88e046d00 fix(router): nft tables limit number of peers source (#4852) 
* fix(router): nft tables limit number of peers source batching them, failing at 3277 prefixes on nftables v1.0.9 with Ubuntu 24.04.3 LTS,  6.14.0-35-generic #35~24.04.1-Ubuntu

* fix(router): nft tables limit number of prefixes on ipSet creation
 2025-12-30 10:48:17 +01:00
Viktor Liu
9bdc4908fb [client] Passthrough all non-NetBird chains to prevent them from dropping NetBird traffic (#4899) 2025-12-04 19:16:38 +01:00
Viktor Liu
131d7a3694 [client] Make mss clamping optional for nftables (#4843) 2025-11-22 18:57:07 +01:00
Viktor Liu
d71a82769c [client,management] Rewrite the SSH feature (#4015) 2025-11-17 17:10:41 +01:00
Viktor Liu
e4b41d0ad7 [client] Replace ipset lib (#4777) 
* Replace ipset lib

* Update .github/workflows/check-license-dependencies.yml

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* Ignore internal licenses

* Ignore dependencies from AGPL code

* Use exported errors

* Use fixed version

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
 2025-11-14 00:25:00 +01:00