Merge branch 'main' into cleanup-firewall

netbirdio · Oct 24, 2024 · 6fe6a90 · 6fe6a90
2 parents 248f5e1 + 869537c
commit 6fe6a90
Show file tree

Hide file tree

Showing 102 changed files with 4,873 additions and 993 deletions.
diff --git a/.github/workflows/golang-test-linux.yml b/.github/workflows/golang-test-linux.yml
@@ -49,7 +49,7 @@ jobs:
         run: git --no-pager diff --exit-code
 
       - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 6m -p 1 ./...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 10m -p 1 ./...
 
   test_client_on_docker:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif
+          ignore_words_list: erro,clienta,hastable,iif,groupd
           skip: go.mod,go.sum
           only_warn: 1
   golangci:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.14"
+  SIGN_PIPE_VER: "v0.0.16"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "Wiretrustee UG (haftungsbeschreankt)"
@@ -223,4 +223,4 @@ jobs:
           repo: netbirdio/sign-pipelines
           ref: ${{ env.SIGN_PIPE_VER }}
           token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}", "skipRelease": false }'
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -96,6 +96,9 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
+universal_binaries:
+  - id: netbird
+
 archives:
   - builds:
       - netbird

diff --git a/.goreleaser_ui_darwin.yaml b/.goreleaser_ui_darwin.yaml
@@ -23,6 +23,9 @@ builds:
     tags:
       - load_wgnt_from_rsrc
 
+universal_binaries:
+  - id: netbird-ui-darwin
+
 archives:
   - builds:
       - netbird-ui-darwin

diff --git a/client/firewall/iptables/router_linux.go b/client/firewall/iptables/router_linux.go
@@ -482,10 +482,12 @@ func (r *router) updateState() {
 
 func genRuleSpec(jump string, source, destination netip.Prefix, intf string, inverse bool) []string {
 	intdir := "-i"
+	lointdir := "-o"
 	if inverse {
 		intdir = "-o"
+		lointdir = "-i"
 	}
-	return []string{intdir, intf, "-s", source.String(), "-d", destination.String(), "-j", jump}
+	return []string{intdir, intf, "!", lointdir, "lo", "-s", source.String(), "-d", destination.String(), "-j", jump}
 }
 
 func genRouteFilteringRuleSpec(params routeFilteringRuleParams) []string {

diff --git a/client/firewall/nftables/router_linux.go b/client/firewall/nftables/router_linux.go
@@ -423,11 +423,15 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 	destExp := generateCIDRMatcherExpressions(false, pair.Destination)
 
 	dir := expr.MetaKeyIIFNAME
+	notDir := expr.MetaKeyOIFNAME
 	if pair.Inverse {
 		dir = expr.MetaKeyOIFNAME
+		notDir = expr.MetaKeyIIFNAME
 	}
 
+	lo := ifname("lo")
 	intf := ifname(r.wgIface.Name())
+
 	exprs := []expr.Any{
 		&expr.Meta{
 			Key:      dir,
@@ -438,6 +442,17 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 			Register: 1,
 			Data:     intf,
 		},
+
+		// We need to exclude the loopback interface as this changes the ebpf proxy port
+		&expr.Meta{
+			Key:      notDir,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     lo,
+		},
 	}
 
 	exprs = append(exprs, sourceExp...)

diff --git a/client/firewall/nftables/router_linux_test.go b/client/firewall/nftables/router_linux_test.go
@@ -69,6 +69,12 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 						Register: 1,
 						Data:     ifname(ifaceMock.Name()),
 					},
+					&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
+					&expr.Cmp{
+						Op:       expr.CmpOpNeq,
+						Register: 1,
+						Data:     ifname("lo"),
+					},
 				)
 
 				natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair)
@@ -97,6 +103,12 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 						Register: 1,
 						Data:     ifname(ifaceMock.Name()),
 					},
+					&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+					&expr.Cmp{
+						Op:       expr.CmpOpNeq,
+						Register: 1,
+						Data:     ifname("lo"),
+					},
 				)
 
 				inNatRuleKey := firewall.GenKey(firewall.NatFormat, firewall.GetInversePair(testCase.InputPair))

diff --git a/client/firewall/nftables/state.go b/client/firewall/nftables/state.go
@@ -0,0 +1 @@
+package nftables
diff --git a/client/iface/bind/bind.go b/client/iface/bind/bind.go
diff --git a/client/iface/bind/endpoint.go b/client/iface/bind/endpoint.go
@@ -0,0 +1,5 @@
+package bind
+
+import wgConn "golang.zx2c4.com/wireguard/conn"
+
+type Endpoint = wgConn.StdNetEndpoint