Zoltán Papp 09da089a90 [client] filter CGNAT and CNI addresses from ICE candidates ...

In Kubernetes environments using Cilium or similar CNI plugins, pod
 CIDR addresses (e.g. 100.65.x.x) from the RFC 6598 CGNAT range
 (100.64.0.0/10) were being gathered as valid ICE host candidates.
 This caused WireGuard endpoints to resolve to non-routable pod IPs,
 producing overlay-routed connections with degraded latency instead of
 true P2P paths between hosts.

 Add three layers of defense:
 - Expand the default interface blacklist with common Kubernetes CNI
   interface prefixes (cilium_, lxc, cali, flannel, cni, weave)
 - Filter local and remote ICE candidates whose addresses fall within
   the CGNAT range but outside the NetBird WireGuard network
 - Reject UDP mux writes to CGNAT addresses as a defense-in-depth
   fallback

2026-03-09 16:30:11 +01:00

..

bind

[client] Add IPv6 support to usersace bind (#5147)

2026-01-22 10:20:43 +08:00

bufsize

[client] Add flag to configure MTU (#4213)

2025-08-26 16:00:14 +02:00

configurer

[client] skip UAPI listener in netstack mode (#5397)

2026-02-24 10:35:23 +01:00

device

[client] skip UAPI listener in netstack mode (#5397)

2026-02-24 10:35:23 +01:00

freebsd

[client] Fix freebsd default routes (#3230)

2025-01-23 16:57:11 +01:00

mocks

[client] Implement dns routes for Android (#3989)

2025-07-04 16:43:11 +02:00

netstack

[client] Fix nil pointer panic in device and engine code (#5287)

2026-02-12 09:15:42 +01:00

udpmux

[client] filter CGNAT and CNI addresses from ICE candidates

2026-03-09 16:30:11 +01:00

wgaddr

[client] Use platform-native routing APIs for freeBSD, macOS and Windows

2025-06-04 16:28:58 +02:00

wgproxy

[client] Refactor/optimise raw socket headers (#5174)

2026-01-28 15:06:59 +01:00

device_android.go

[android] allow selection/deselection of network resources on android peers (#4607)

2025-11-21 13:36:33 +01:00

device.go

[client] Add bind activity listener to bypass udp sockets (#4646)

2025-10-16 15:58:29 +02:00

iface_create_android.go

[android] allow selection/deselection of network resources on android peers (#4607)

2025-11-21 13:36:33 +01:00

iface_create_darwin.go

[android] allow selection/deselection of network resources on android peers (#4607)

2025-11-21 13:36:33 +01:00

iface_create.go

[android] allow selection/deselection of network resources on android peers (#4607)

2025-11-21 13:36:33 +01:00

iface_destroy_bsd.go

[client] Refactor/iface pkg (#2646)

2024-10-02 18:24:22 +02:00

iface_destroy_js.go

[client,signal,management] Add browser client support (#4415)

2025-10-01 20:10:11 +02:00

iface_destroy_linux.go

[client] Refactor/iface pkg (#2646)

2024-10-02 18:24:22 +02:00

iface_destroy_mobile.go

[client] Refactor/iface pkg (#2646)

2024-10-02 18:24:22 +02:00

iface_destroy_windows.go

[client] Refactor/iface pkg (#2646)

2024-10-02 18:24:22 +02:00

iface_guid_windows.go

[client] Eliminate UDP proxy in user-space mode (#2712)

2024-10-22 20:53:14 +02:00

iface_new_android.go

[client,signal,management] Add browser client support (#4415)

2025-10-01 20:10:11 +02:00

iface_new_darwin.go

[client,signal,management] Add browser client support (#4415)

2025-10-01 20:10:11 +02:00

iface_new_freebsd.go

[client,signal,management] Add browser client support (#4415)

2025-10-01 20:10:11 +02:00

iface_new_ios.go

[client,signal,management] Add browser client support (#4415)

2025-10-01 20:10:11 +02:00

iface_new_js.go

[client,signal,management] Add browser client support (#4415)

2025-10-01 20:10:11 +02:00

iface_new_linux.go

[client,signal,management] Add browser client support (#4415)

2025-10-01 20:10:11 +02:00

iface_new_windows.go

[client,signal,management] Add browser client support (#4415)

2025-10-01 20:10:11 +02:00

iface_test.go

[client] Use stdnet with a context to avoid DNS deadlocks (#4781)

2025-11-13 20:16:45 +01:00

iface.go

[client] Fix netstack detection and add wireguard port option (#5251)

2026-02-06 10:03:01 +01:00