[client] Add stateful userspace firewall and remove egress filters #9110
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Code Linux | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-cache: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.23.x" | |
| cache: false | |
| - name: Get Go environment | |
| run: | | |
| echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV | |
| echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV | |
| - name: Cache Go modules | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: | | |
| ${{ env.cache }} | |
| ${{ env.modcache }} | |
| key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }} | |
| - name: Install dependencies | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev | |
| - name: Install 32-bit libpcap | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386 | |
| - name: Build client | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: client | |
| run: CGO_ENABLED=1 go build . | |
| - name: Build client 386 | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: client | |
| run: CGO_ENABLED=1 GOARCH=386 go build -o client-386 . | |
| - name: Build management | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: management | |
| run: CGO_ENABLED=1 go build . | |
| - name: Build management 386 | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: management | |
| run: CGO_ENABLED=1 GOARCH=386 go build -o management-386 . | |
| - name: Build signal | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: signal | |
| run: CGO_ENABLED=1 go build . | |
| - name: Build signal 386 | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: signal | |
| run: CGO_ENABLED=1 GOARCH=386 go build -o signal-386 . | |
| - name: Build relay | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: relay | |
| run: CGO_ENABLED=1 go build . | |
| - name: Build relay 386 | |
| if: steps.cache.outputs.cache-hit != 'true' | |
| working-directory: relay | |
| run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 . | |
| test: | |
| needs: [build-cache] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [ '386','amd64' ] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.23.x" | |
| cache: false | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Get Go environment | |
| run: | | |
| echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV | |
| echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV | |
| - name: Cache Go modules | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ${{ env.cache }} | |
| ${{ env.modcache }} | |
| key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gotest-cache- | |
| - name: Install dependencies | |
| run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev | |
| - name: Install 32-bit libpcap | |
| if: matrix.arch == '386' | |
| run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386 | |
| - name: Install modules | |
| run: go mod tidy | |
| - name: check git status | |
| run: git --no-pager diff --exit-code | |
| - name: Test | |
| run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v /management) | |
| test_management: | |
| needs: [ build-cache ] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [ '386','amd64' ] | |
| store: [ 'sqlite', 'postgres'] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.23.x" | |
| cache: false | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Get Go environment | |
| run: | | |
| echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV | |
| echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV | |
| - name: Cache Go modules | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ${{ env.cache }} | |
| ${{ env.modcache }} | |
| key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gotest-cache- | |
| - name: Install dependencies | |
| run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev | |
| - name: Install 32-bit libpcap | |
| if: matrix.arch == '386' | |
| run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386 | |
| - name: Install modules | |
| run: go mod tidy | |
| - name: check git status | |
| run: git --no-pager diff --exit-code | |
| - name: Test | |
| run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m $(go list ./... | grep /management) | |
| benchmark: | |
| needs: [ build-cache ] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: [ '386','amd64' ] | |
| store: [ 'sqlite', 'postgres' ] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.23.x" | |
| cache: false | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Get Go environment | |
| run: | | |
| echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV | |
| echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV | |
| - name: Cache Go modules | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ${{ env.cache }} | |
| ${{ env.modcache }} | |
| key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gotest-cache- | |
| - name: Install dependencies | |
| run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev | |
| - name: Install 32-bit libpcap | |
| if: matrix.arch == '386' | |
| run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386 | |
| - name: Install modules | |
| run: go mod tidy | |
| - name: check git status | |
| run: git --no-pager diff --exit-code | |
| - name: Test | |
| run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -run=^$ -bench=. -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m -p 1 ./... | |
| test_client_on_docker: | |
| needs: [ build-cache ] | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: "1.23.x" | |
| cache: false | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Get Go environment | |
| run: | | |
| echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV | |
| echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV | |
| - name: Cache Go modules | |
| uses: actions/cache/restore@v4 | |
| with: | |
| path: | | |
| ${{ env.cache }} | |
| ${{ env.modcache }} | |
| key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gotest-cache- | |
| - name: Install dependencies | |
| run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev | |
| - name: Install modules | |
| run: go mod tidy | |
| - name: check git status | |
| run: git --no-pager diff --exit-code | |
| - name: Generate Shared Sock Test bin | |
| run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock | |
| - name: Generate RouteManager Test bin | |
| run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin ./client/internal/routemanager | |
| - name: Generate SystemOps Test bin | |
| run: CGO_ENABLED=1 go test -c -o systemops-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/systemops | |
| - name: Generate nftables Manager Test bin | |
| run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/... | |
| - name: Generate Engine Test bin | |
| run: CGO_ENABLED=1 go test -c -o engine-testing.bin ./client/internal | |
| - name: Generate Peer Test bin | |
| run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/ | |
| - run: chmod +x *testing.bin | |
| - name: Run Shared Sock tests in docker | |
| run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1 | |
| - name: Run Iface tests in docker | |
| run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/netbird -v /tmp/cache:/tmp/cache -v /tmp/modcache:/tmp/modcache -w /netbird -e GOCACHE=/tmp/cache -e GOMODCACHE=/tmp/modcache -e CGO_ENABLED=0 golang:1.23-alpine go test -test.timeout 5m -test.parallel 1 ./client/iface/... | |
| - name: Run RouteManager tests in docker | |
| run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin -test.timeout 5m -test.parallel 1 | |
| - name: Run SystemOps tests in docker | |
| run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager/systemops --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/systemops-testing.bin -test.timeout 5m -test.parallel 1 | |
| - name: Run nftables Manager tests in docker | |
| run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin -test.timeout 5m -test.parallel 1 | |
| - name: Run Engine tests in docker with file store | |
| run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="jsonfile" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin -test.timeout 5m -test.parallel 1 | |
| - name: Run Engine tests in docker with sqlite store | |
| run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin -test.timeout 5m -test.parallel 1 | |
| - name: Run Peer tests in docker | |
| run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin -test.timeout 5m -test.parallel 1 |