Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat linux firewall support #805

Merged
merged 39 commits into from May 29, 2023
Merged

Feat linux firewall support #805

merged 39 commits into from May 29, 2023

Conversation

gigovich
Copy link
Contributor

Describe your changes

Update the client's engine to apply firewall rules received from the manager (results of ACL policy).

Issue ticket number and link

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)
  • Extended the README / documentation, if necessary

mlsmaycon
mlsmaycon reviewed Apr 13, 2023
View reviewed changes
Copy link
Collaborator

@mlsmaycon mlsmaycon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added some comments to check after PRs 804 and 799 are merged

client/firewall/iptables/manager_linux.go Outdated Show resolved Hide resolved
client/firewall/iptables/manager_linux.go Show resolved Hide resolved
client/internal/engine.go Outdated Show resolved Hide resolved
management/proto/management.proto Show resolved Hide resolved
@gigovich gigovich force-pushed the feat-linux-firewall-support branch 3 times, most recently from 9e3613b to b480eff Compare April 24, 2023 09:52
@gigovich gigovich force-pushed the feat-linux-firewall-support branch from 6774765 to 16c3f1a Compare April 24, 2023 13:02
gigovich added 25 commits May 3, 2023 16:43
@gigovich
Initial implementation of the firewall common manager for client.
cd38ad3
@gigovich
Add test for iptables firewall manager
f3adf3d
@gigovich
Use arch suffix to build iptables manager
d74907d
@gigovich
Use string types in the Rule as ID
d80de85
@gigovich
Update protocol to add FirewallRule
6caf55a
@gigovich
Add logic layer for the ACL firewall rules management.
4f41069
@gigovich
Fix non-port based rules processing. Add rules clean up call.
e9b0fa0
@gigovich
Fix direction for firewall rule
d0ab9b5
@gigovich
Refactor protocol handling for firewall rules, add engine tests
66b1b8f
@gigovich
Fix docker build
6c26b16
@gigovich
Add default firewall rules and fix tests in the github flow.
f3b43fa
@gigovich
Fix Codacity notes
5342153
@gigovich
Remove default protocol for migrated rules policy
beae9d1
@gigovich
Fix test after rebase
c26f3dd
@gigovich
Feat upgrade management api policy (#799)
8dadca8 
Refactor API of the policy management. Improve handling firewall rules in the client.
@gigovich
Feat firewall controller nftables (#804)
f68768b 
nftables firewall manager for the client.
@gigovich
Fix merge issue
217946c
@gigovich
Drop Rego use manual code to calculate network map (#820)
93ab6b5 
Remove Rego as policy manager
@gigovich
Handle 'all' protocol in firewall managers
678d9f7
@gigovich
Fix nftables default policy and action apply
1fe3c45
@gigovich
Fix firewall rule delete for nftables
1a9bb1c
@gigovich
Fix client nftables firewall tests
1d28fbc
@gigovich
Refactor, extract ACL manager as separate module to manage firewall r…
f147759 
…ules
@gigovich
Fix tests after refactoring
ecb0a51
@gigovich
Fix test other OS
ce7821a
@gigovich gigovich force-pushed the feat-linux-firewall-support branch from bbd8fe7 to 091c1c5 Compare May 3, 2023 14:58
pappz
pappz previously requested changes May 5, 2023
View reviewed changes
client/internal/acl/manager.go Outdated Show resolved Hide resolved
gigovich and others added 12 commits May 18, 2023 12:37
@gigovich
Userspace packet filtering (#836)
776198f 
Userspace packet filtering
@gigovich
Add policy validation during update. Stop update policies from rules. (
629e535 
…#871)
@gigovich @mlsmaycon
Fix already migrated from rules policies (#881)
08f8ec4 
* Fix already migrated from rules policies

* fix lint comment

---------

Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>
@mlsmaycon
Refactor rule direction and rename methods with in/out directions (#883)
9e774ba 
* Use enum in proto and in out directions

renamed test object IDs making more readable

* Refactor rule direction and rename methods with in/out directions

use RW mutex for device wrapper

decoupled manager grpc protocol parsers

extracted add rule calls

Added unknown action and protocol consts

* exit on proto all, fixed rw mutex locks

renamed filter methods and port checks

* add performance tests for nftables and iptables

fix failed tests

* limit create performance test to 1000 and add uspfilter test
@mlsmaycon
remove default ping rule
0283b0e
@mlsmaycon
Remove unused peer id from firewall proto message (#885)
9e39a03 
* Remove unused peer id from firewall proto message

* fix failing tests
@gigovich
Merge remote-tracking branch 'upstream/main' into feat-linux-firewall…
f5f8c02 
…-support
@gigovich
Feat linux firewall support fix async (#891)
c55c645 
 Use sync pool of decoders to handle async filtering
@braginini
Merge remote-tracking branch 'origin/main' into feat-linux-firewall-s…
f9d79e0 
…upport

# Conflicts:
#	go.mod
#	go.sum
#	iface/tun_windows.go
#	management/server/http/api/openapi.yml
#	management/server/http/api/types.gen.go
@braginini
Fix merge conflicts
083a8c7
@braginini
Fix go mod
330bbb6
@braginini
Fix policies API
5d02999
@braginini braginini self-requested a review May 29, 2023 13:59
@braginini braginini merged commit ba7a39a into main May 29, 2023
12 checks passed
@braginini braginini deleted the feat-linux-firewall-support branch May 29, 2023 14:00
pulsastrix pushed a commit to pulsastrix/netbird that referenced this pull request Dec 24, 2023
@gigovich
Feat linux firewall support (netbirdio#805)
1930a51 
Update the client's engine to apply firewall rules received from the manager (results of ACL policy).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlsmaycon mlsmaycon mlsmaycon left review comments

@braginini braginini braginini approved these changes

@pappz pappz pappz left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@gigovich @braginini @mlsmaycon @pappz