Evaluate all applied posture checks on source peers only

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
Evaluate all applied posture checks once
2026-06-01 21:49:56 +00:00 · 2024-12-27 23:28:34 +03:00 · 2024-12-27 22:12:47 +03:00 · 2024-12-27 21:49:28 +03:00 · 2024-12-27 14:13:36 +01:00 · 2024-12-27 14:39:34 +03:00
10 changed files with 139 additions and 87 deletions
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -10,7 +10,6 @@ import (

 // BaseConnTrack provides common fields and locking for all connection types
 type BaseConnTrack struct {
-	sync.RWMutex
 	SourceIP    net.IP
 	DestIP      net.IP
 	SourcePort  uint16
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -62,6 +62,7 @@ type TCPConnKey struct {
 type TCPConnTrack struct {
 	BaseConnTrack
 	State TCPState
+	sync.RWMutex
 }

 // TCPTracker manages TCP connection states
@@ -131,36 +132,8 @@ func (t *TCPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, srcPort uint16,
 		return false
 	}

-	// Handle new SYN packets
-	if flags&TCPSyn != 0 && flags&TCPAck == 0 {
-		key := makeConnKey(dstIP, srcIP, dstPort, srcPort)
-		t.mutex.Lock()
-		if _, exists := t.connections[key]; !exists {
-			// Use preallocated IPs
-			srcIPCopy := t.ipPool.Get()
-			dstIPCopy := t.ipPool.Get()
-			copyIP(srcIPCopy, dstIP)
-			copyIP(dstIPCopy, srcIP)
-
-			conn := &TCPConnTrack{
-				BaseConnTrack: BaseConnTrack{
-					SourceIP:   srcIPCopy,
-					DestIP:     dstIPCopy,
-					SourcePort: dstPort,
-					DestPort:   srcPort,
-				},
-				State: TCPStateSynReceived,
-			}
-			conn.lastSeen.Store(time.Now().UnixNano())
-			conn.established.Store(false)
-			t.connections[key] = conn
-		}
-		t.mutex.Unlock()
-		return true
-	}
-
-	// Look up existing connection
 	key := makeConnKey(dstIP, srcIP, dstPort, srcPort)
+
 	t.mutex.RLock()
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
@@ -172,8 +145,7 @@ func (t *TCPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, srcPort uint16,
 	// Handle RST packets
 	if flags&TCPRst != 0 {
 		conn.Lock()
-		isEstablished := conn.IsEstablished()
-		if isEstablished || conn.State == TCPStateSynSent || conn.State == TCPStateSynReceived {
+		if conn.IsEstablished() || conn.State == TCPStateSynSent || conn.State == TCPStateSynReceived {
 			conn.State = TCPStateClosed
 			conn.SetEstablished(false)
 			conn.Unlock()
@@ -183,7 +155,6 @@ func (t *TCPTracker) IsValidInbound(srcIP net.IP, dstIP net.IP, srcPort uint16,
 		return false
 	}

-	// Update state
 	conn.Lock()
 	t.updateState(conn, flags, false)
 	conn.UpdateLastSeen()
@@ -306,6 +277,11 @@ func (t *TCPTracker) isValidStateForFlags(state TCPState, flags uint8) bool {
 		return flags&TCPFin != 0 || flags&TCPAck != 0
 	case TCPStateLastAck:
 		return flags&TCPAck != 0
+	case TCPStateClosed:
+		// Accept retransmitted ACKs in closed state
+		// This is important because the final ACK might be lost
+		// and the peer will retransmit their FIN-ACK
+		return flags&TCPAck != 0
 	}
 	return false
 }
--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -125,11 +125,8 @@ func TestTCPStateMachine(t *testing.T) {
 					valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst)
 					require.True(t, valid, "RST should be allowed for established connection")

-					// Verify connection is closed
-					valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck)
-					t.Helper()
-
-					require.False(t, valid, "Data should be blocked after RST")
+					// Connection is logically dead but we don't enforce blocking subsequent packets
+					// The connection will be cleaned up by timeout
 				},
 			},
 			{
--- a/client/server/debug.go
+++ b/client/server/debug.go
@@ -139,10 +139,6 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 	s.mutex.Lock()
 	defer s.mutex.Unlock()

-	if s.logFile == "console" {
-		return nil, fmt.Errorf("log file is set to console, cannot create debug bundle")
-	}
-
 	bundlePath, err := os.CreateTemp("", "netbird.debug.*.zip")
 	if err != nil {
 		return nil, fmt.Errorf("create zip file: %w", err)
@@ -185,17 +181,7 @@ func (s *Server) createArchive(bundlePath *os.File, req *proto.DebugBundleReques
 	}

 	if req.GetSystemInfo() {
-		if err := s.addRoutes(req, anonymizer, archive); err != nil {
-			log.Errorf("Failed to add routes to debug bundle: %v", err)
-		}
-
-		if err := s.addInterfaces(req, anonymizer, archive); err != nil {
-			log.Errorf("Failed to add interfaces to debug bundle: %v", err)
-		}
-
-		if err := s.addFirewallRules(req, anonymizer, archive); err != nil {
-			log.Errorf("Failed to add firewall rules to debug bundle: %v", err)
-		}
+		s.addSystemInfo(req, anonymizer, archive)
 	}

 	if err := s.addNetworkMap(req, anonymizer, archive); err != nil {
@@ -206,8 +192,10 @@ func (s *Server) createArchive(bundlePath *os.File, req *proto.DebugBundleReques
 		log.Errorf("Failed to add state file to debug bundle: %v", err)
 	}

-	if err := s.addLogfile(req, anonymizer, archive); err != nil {
-		return fmt.Errorf("add log file: %w", err)
+	if s.logFile != "console" {
+		if err := s.addLogfile(req, anonymizer, archive); err != nil {
+			return fmt.Errorf("add log file: %w", err)
+		}
 	}

 	if err := archive.Close(); err != nil {
@@ -216,6 +204,20 @@ func (s *Server) createArchive(bundlePath *os.File, req *proto.DebugBundleReques
 	return nil
 }

+func (s *Server) addSystemInfo(req *proto.DebugBundleRequest, anonymizer *anonymize.Anonymizer, archive *zip.Writer) {
+	if err := s.addRoutes(req, anonymizer, archive); err != nil {
+		log.Errorf("Failed to add routes to debug bundle: %v", err)
+	}
+
+	if err := s.addInterfaces(req, anonymizer, archive); err != nil {
+		log.Errorf("Failed to add interfaces to debug bundle: %v", err)
+	}
+
+	if err := s.addFirewallRules(req, anonymizer, archive); err != nil {
+		log.Errorf("Failed to add firewall rules to debug bundle: %v", err)
+	}
+}
+
 func (s *Server) addReadme(req *proto.DebugBundleRequest, archive *zip.Writer) error {
 	if req.GetAnonymize() {
 		readmeReader := strings.NewReader(readmeContent)
--- a/management/server/group.go
+++ b/management/server/group.go
@@ -474,6 +474,10 @@ func validateDeleteGroup(ctx context.Context, transaction store.Store, group *ty
 		return status.Errorf(status.InvalidArgument, "deleting group ALL is not allowed")
 	}

+	if len(group.Resources) > 0 {
+		return &GroupLinkError{"network resource", group.Resources[0].ID}
+	}
+
 	if isLinked, linkedRoute := isGroupLinkedToRoute(ctx, transaction, group.AccountID, group.ID); isLinked {
 		return &GroupLinkError{"route", string(linkedRoute.NetID)}
 	}
@@ -529,7 +533,10 @@ func isGroupLinkedToRoute(ctx context.Context, transaction store.Store, accountI
 	}

 	for _, r := range routes {
-		if slices.Contains(r.Groups, groupID) || slices.Contains(r.PeerGroups, groupID) {
+		isLinked := slices.Contains(r.Groups, groupID) ||
+			slices.Contains(r.PeerGroups, groupID) ||
+			slices.Contains(r.AccessControlGroups, groupID)
+		if isLinked {
 			return true, r
 		}
 	}
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -725,10 +725,6 @@ components:
    PolicyRuleMinimum:
      type: object
      properties:
-        id:
-          description: Policy rule ID
-          type: string
-          example: ch8i4ug6lnn4g9hqv7mg
        name:
          description: Policy rule name identifier
          type: string
@@ -790,6 +786,31 @@ components:
        - end

    PolicyRuleUpdate:
+      allOf:
+        - $ref: '#/components/schemas/PolicyRuleMinimum'
+        - type: object
+          properties:
+            id:
+              description: Policy rule ID
+              type: string
+              example: ch8i4ug6lnn4g9hqv7mg
+            sources:
+              description: Policy rule source group IDs
+              type: array
+              items:
+                type: string
+                example: "ch8i4ug6lnn4g9hqv797"
+            destinations:
+              description: Policy rule destination group IDs
+              type: array
+              items:
+                type: string
+                example: "ch8i4ug6lnn4g9h7v7m0"
+          required:
+            - sources
+            - destinations
+
+    PolicyRuleCreate:
      allOf:
        - $ref: '#/components/schemas/PolicyRuleMinimum'
        - type: object
@@ -817,6 +838,10 @@ components:
        - $ref: '#/components/schemas/PolicyRuleMinimum'
        - type: object
          properties:
+            id:
+              description: Policy rule ID
+              type: string
+              example: ch8i4ug6lnn4g9hqv7mg
            sources:
              description: Policy rule source group IDs
              type: array
@@ -836,10 +861,6 @@ components:
    PolicyMinimum:
      type: object
      properties:
-        id:
-          description: Policy ID
-          type: string
-          example: ch8i4ug6lnn4g9hqv7mg
        name:
          description: Policy name identifier
          type: string
@@ -854,7 +875,6 @@ components:
          example: true
      required:
        - name
-        - description
        - enabled
    PolicyUpdate:
      allOf:
@@ -874,11 +894,33 @@ components:
                $ref: '#/components/schemas/PolicyRuleUpdate'
          required:
            - rules
+    PolicyCreate:
+      allOf:
+        - $ref: '#/components/schemas/PolicyMinimum'
+        - type: object
+          properties:
+            source_posture_checks:
+              description: Posture checks ID's applied to policy source groups
+              type: array
+              items:
+                type: string
+                example: "chacdk86lnnboviihd70"
+            rules:
+              description: Policy rule object for policy UI editor
+              type: array
+              items:
+                $ref: '#/components/schemas/PolicyRuleUpdate'
+          required:
+            - rules
    Policy:
      allOf:
        - $ref: '#/components/schemas/PolicyMinimum'
        - type: object
          properties:
+            id:
+              description: Policy ID
+              type: string
+              example: ch8i4ug6lnn4g9hqv7mg
            source_posture_checks:
              description: Posture checks ID's applied to policy source groups
              type: array
@@ -2463,7 +2505,7 @@ paths:
        content:
          'application/json':
            schema:
-              $ref: '#/components/schemas/PolicyUpdate'
+              $ref: '#/components/schemas/PolicyCreate'
      responses:
        '200':
          description: A Policy object
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -879,7 +879,7 @@ type PersonalAccessTokenRequest struct {
 // Policy defines model for Policy.
 type Policy struct {
 	// Description Policy friendly description
-	Description string `json:"description"`
+	Description *string `json:"description,omitempty"`

 	// Enabled Policy status
 	Enabled bool `json:"enabled"`
@@ -897,16 +897,31 @@ type Policy struct {
 	SourcePostureChecks []string `json:"source_posture_checks"`
 }

-// PolicyMinimum defines model for PolicyMinimum.
-type PolicyMinimum struct {
+// PolicyCreate defines model for PolicyCreate.
+type PolicyCreate struct {
 	// Description Policy friendly description
-	Description string `json:"description"`
+	Description *string `json:"description,omitempty"`

 	// Enabled Policy status
 	Enabled bool `json:"enabled"`

-	// Id Policy ID
-	Id *string `json:"id,omitempty"`
+	// Name Policy name identifier
+	Name string `json:"name"`
+
+	// Rules Policy rule object for policy UI editor
+	Rules []PolicyRuleUpdate `json:"rules"`
+
+	// SourcePostureChecks Posture checks ID's applied to policy source groups
+	SourcePostureChecks *[]string `json:"source_posture_checks,omitempty"`
+}
+
+// PolicyMinimum defines model for PolicyMinimum.
+type PolicyMinimum struct {
+	// Description Policy friendly description
+	Description *string `json:"description,omitempty"`
+
+	// Enabled Policy status
+	Enabled bool `json:"enabled"`

 	// Name Policy name identifier
 	Name string `json:"name"`
@@ -970,9 +985,6 @@ type PolicyRuleMinimum struct {
 	// Enabled Policy rule status
 	Enabled bool `json:"enabled"`

-	// Id Policy rule ID
-	Id *string `json:"id,omitempty"`
-
 	// Name Policy rule name identifier
 	Name string `json:"name"`

@@ -1039,14 +1051,11 @@ type PolicyRuleUpdateProtocol string
 // PolicyUpdate defines model for PolicyUpdate.
 type PolicyUpdate struct {
 	// Description Policy friendly description
-	Description string `json:"description"`
+	Description *string `json:"description,omitempty"`

 	// Enabled Policy status
 	Enabled bool `json:"enabled"`

-	// Id Policy ID
-	Id *string `json:"id,omitempty"`
-
 	// Name Policy name identifier
 	Name string `json:"name"`

@@ -1473,7 +1482,7 @@ type PutApiPeersPeerIdJSONRequestBody = PeerRequest
 type PostApiPoliciesJSONRequestBody = PolicyUpdate

 // PutApiPoliciesPolicyIdJSONRequestBody defines body for PutApiPoliciesPolicyId for application/json ContentType.
-type PutApiPoliciesPolicyIdJSONRequestBody = PolicyUpdate
+type PutApiPoliciesPolicyIdJSONRequestBody = PolicyCreate

 // PostApiPostureChecksJSONRequestBody defines body for PostApiPostureChecks for application/json ContentType.
 type PostApiPostureChecksJSONRequestBody = PostureCheckUpdate
--- a/management/server/http/handlers/policies/policies_handler.go
+++ b/management/server/http/handlers/policies/policies_handler.go
@@ -133,16 +133,21 @@ func (h *handler) savePolicy(w http.ResponseWriter, r *http.Request, accountID s
 		return
 	}

+	description := ""
+	if req.Description != nil {
+		description = *req.Description
+	}
+
 	policy := &types.Policy{
 		ID:          policyID,
 		AccountID:   accountID,
 		Name:        req.Name,
 		Enabled:     req.Enabled,
-		Description: req.Description,
+		Description: description,
 	}
 	for _, rule := range req.Rules {
 		var ruleID string
-		if rule.Id != nil {
+		if rule.Id != nil && policyID != "" {
 			ruleID = *rule.Id
 		}

@@ -370,7 +375,7 @@ func toPolicyResponse(groups []*types.Group, policy *types.Policy) *api.Policy {
 	ap := &api.Policy{
 		Id:                  &policy.ID,
 		Name:                policy.Name,
-		Description:         policy.Description,
+		Description:         &policy.Description,
 		Enabled:             policy.Enabled,
 		SourcePostureChecks: policy.SourcePostureChecks,
 	}
--- a/management/server/http/handlers/policies/policies_handler_test.go
+++ b/management/server/http/handlers/policies/policies_handler_test.go
@@ -154,6 +154,7 @@ func TestPoliciesGetPolicy(t *testing.T) {

 func TestPoliciesWritePolicy(t *testing.T) {
 	str := func(s string) *string { return &s }
+	emptyString := ""
 	tt := []struct {
 		name           string
 		expectedStatus int
@@ -184,8 +185,9 @@ func TestPoliciesWritePolicy(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedPolicy: &api.Policy{
-				Id:   str("id-was-set"),
-				Name: "Default POSTed Policy",
+				Id:          str("id-was-set"),
+				Name:        "Default POSTed Policy",
+				Description: &emptyString,
 				Rules: []api.PolicyRule{
 					{
 						Id:            str("id-was-set"),
@@ -232,8 +234,9 @@ func TestPoliciesWritePolicy(t *testing.T) {
 			expectedStatus: http.StatusOK,
 			expectedBody:   true,
 			expectedPolicy: &api.Policy{
-				Id:   str("id-existed"),
-				Name: "Default POSTed Policy",
+				Id:          str("id-existed"),
+				Name:        "Default POSTed Policy",
+				Description: &emptyString,
 				Rules: []api.PolicyRule{
 					{
 						Id:            str("id-existed"),
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -1319,6 +1319,18 @@ func (a *Account) GetNetworkResourcesRoutesToSync(ctx context.Context, peerID st
 			}
 		}

+		if !addSourcePeers {
+			var peerPostureChecks []string
+			for _, policy := range resourcePolicies[resource.ID] {
+				peerPostureChecks = append(peerPostureChecks, policy.SourcePostureChecks...)
+			}
+
+			isValid := a.validatePostureChecksOnPeer(ctx, peerPostureChecks, peerID)
+			if !isValid {
+				continue
+			}
+		}
+
 		for _, policy := range resourcePolicies[resource.ID] {
 			for _, sourceGroup := range policy.SourceGroups() {
 				group := a.GetGroup(sourceGroup)
Author	SHA1	Message	Date
bcmmbaga	feb8e90ae1	Evaluate all applied posture checks on source peers only Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-27 23:28:34 +03:00
bcmmbaga	076d6d8a87	Evaluate all applied posture checks once Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-27 22:12:47 +03:00
bcmmbaga	c8c25221bd	Apply policy posture checks on peer Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-27 21:49:28 +03:00
Pascal Fischer	fbce8bb511	[management] remove ids from policy creation api (#2997 )	2024-12-27 14:13:36 +01:00
Bethuel Mmbaga	445b626dc8	[management] Add missing group usage checks for network resources and routes access control (#3117 ) * Prevent deletion of groups linked to routes access control groups Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * Prevent deletion of groups linked to network resource Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> --------- Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2024-12-27 14:39:34 +03:00
Viktor Liu	b3c87cb5d1	[client] Fix inbound tracking in userspace firewall (#3111 ) * Don't create state for inbound SYN * Allow final ack in some cases * Relax state machine test a little	2024-12-26 00:51:27 +01:00
Viktor Liu	0dbaddc7be	[client] Don't fail debug if log file is console (#3103 )	2024-12-24 15:05:23 +01:00