Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[management] Account different policy rules for route firewall rules #2939

Merged
merged 4 commits into from
Nov 29, 2024
Merged

[management] Account different policy rules for route firewall rules #2939

merged 4 commits into from
Nov 29, 2024

Conversation

mlsmaycon
Copy link
Collaborator

Describe your changes

This fixes the behavior where multiple policies with different access levels were applied to all distribution group peers.

Now, we ensure that route firewall rules generation will consider source group peers of access control policies and apply rules to peers from these groups. Peers from the distribution group that don't belong to any source group will have their traffic dropped.

This will change behavior for existing and valid policies benefiting from this flaw.

Issue ticket number and link

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)
  • Extended the README / documentation, if necessary

@mlsmaycon
Account different policies rules for routes firewall rules
5fa5d5a 
This change ensures that route firewall rules will consider source group peers in the rules generation for access control policies.

This fixes the behavior where multiple policies with different levels of access was being applied to all peers in a distribution group
Copilot
Copilot AI reviewed Nov 22, 2024
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 2 changed files in this pull request and generated no suggestions.

Comments skipped due to low confidence (2)

management/server/route.go:454

  • The check 'if pID == peerID' might be incorrect if the intention is to include the current peer in some cases. Verify if this is the intended behavior.
if pID == peerID {

management/server/route.go:422

  • The iteration over 'route.AccessControlGroups' twice in the 'getPeerRoutesFirewallRules' function might be redundant. Ensure that this is necessary.
for _, accessGroup := range route.AccessControlGroups {
@mlsmaycon mlsmaycon changed the title [client] Account different policies rules for routes firewall rules [client] Account different policiy rules for routes firewall rules Nov 28, 2024
lixmal
lixmal previously approved these changes Nov 29, 2024
View reviewed changes
Copy link
Contributor

@lixmal lixmal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a few more test cases, maybe in a follow-up PR

  • peers in multiple source groups of the same policy
  • peer in both source and access control group
  • empty groups

management/server/route.go Outdated Show resolved Hide resolved
@mlsmaycon @lixmal
avoid unnecessary allocation
6b3ce3c 
Co-authored-by: Viktor Liu <17948409+lixmal@users.noreply.github.com>
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mlsmaycon mlsmaycon merged commit f9723c9 into main Nov 29, 2024
25 checks passed
@mlsmaycon mlsmaycon deleted the fix/enforce-network-firewall-rules-based-on-sources branch November 29, 2024 16:50
hurricanehrndz added a commit to hurricanehrndz/netbird that referenced this pull request Nov 29, 2024
@hurricanehrndz
Merge remote-tracking branch 'upstream/main' into poc_DNS_on_peer_sta…
5d12e64 
…te_change

* upstream/main: (55 commits)
  [client] Account different policiy rules for routes firewall rules (netbirdio#2939)
  Add guide when signing key is not found (netbirdio#2942)
  [tests] Enable benchmark tests on github actions (netbirdio#2961)
  [management] Add performance test for login and sync calls (netbirdio#2960)
  [management] refactor to use account object instead of separate db calls for peer update (netbirdio#2957)
  [client] Code cleaning in net pkg and fix exit node feature on Android(netbirdio#2932)
  [management] Refactor nameserver groups to use store methods (netbirdio#2888)
  [management] Refactor DNS settings to use store methods (netbirdio#2883)
  [management] Refactor policy to use store methods (netbirdio#2878)
  [management] Refactor posture check to use store methods (netbirdio#2874)
  [client] Allow routing to fallback to exclusion routes if rules are not supported (netbirdio#2909)
  [client] Set up sysctl and routing table name only if routing rules are available (netbirdio#2933)
  [client] Test nftables for incompatible iptables rules (netbirdio#2948)
  [client] Don't return error in userspace mode without firewall (netbirdio#2924)
  Import time package (netbirdio#2940)
  [misc] Renew slack link (netbirdio#2938)
  [relay] Refactor initial Relay connection (netbirdio#2800)
  [management] Fix getSetupKey call (netbirdio#2927)
  [client] Fix allow netbird rule verdict (netbirdio#2925)
  [management] Add activity events to group propagation flow (netbirdio#2916)
  ...
@mlsmaycon mlsmaycon changed the title [client] Account different policiy rules for routes firewall rules [management] Account different policy rules for route firewall rules Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot Copilot left review comments

@lixmal lixmal lixmal approved these changes

@bcmmbaga bcmmbaga Awaiting requested review from bcmmbaga

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mlsmaycon @lixmal