Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[client] Add experimental support for userspace routing #3134

Open
wants to merge 45 commits into
base: main
Choose a base branch
from
Open

[client] Add experimental support for userspace routing #3134

wants to merge 45 commits into from
+4,154 −311

Conversation

lixmal
Copy link
Contributor

@lixmal lixmal commented Dec 31, 2024
edited
Loading

Describe your changes

  • Implements userspace packet routing for all operating systems
  • Option to use the native firewall if it supports routing (= previous behavior on Linux hosts in userspace)
  • Enables local traffic handling in netstack mode by forwarding packets to localhost
  • Adds route ACLs for forwarded traffic
  • Removes the inbound allow rule for non-netbird (= routed) return traffic, relying instead on connection tracking
  • Distinguishes between local and forwarded traffic based on interface IP address bitmap
  • Adds logger for connection trackers
  • Adds packet tracer

New environment variables:

NB_DISABLE_USERSPACE_ROUTING: Disables userspace routing
NB_FORCE_NATIVE_ROUTER: Forces use of native OS routing
NB_FORCE_USERSPACE_ROUTER: Forces use of userspace routing even if native OS routing is available

New flow

flowchart TB
    Start([Inbound Packet]) --> StatefulEnabled{Stateful Enabled?}
    
    StatefulEnabled -->|Yes| TrackedConn{Matches Tracked Connection?}
    TrackedConn -->|Yes| Accept1[Accept Packet]
    TrackedConn -->|No| LocalIP
    
    StatefulEnabled -->|No| LocalIP{Is Local IP?}
    
    LocalIP -->|Yes| PeerACL{Peer ACLs Allow?}
    PeerACL -->|Yes| NetstackMode{Netstack Mode?}
    PeerACL -->|No| Drop1[Drop Packet]
    
    NetstackMode -->|Yes| ForwardLocal[Forward to Local Stack]
    NetstackMode -->|No| Accept2[Accept Packet]
    
    LocalIP -->|No| RoutingEnabled{Routing Enabled?}
    RoutingEnabled -->|No| Drop2[Drop Packet]
    RoutingEnabled -->|Yes| NativeRouter{Native Router?}
    
    NativeRouter -->|Yes| Accept3[Accept Packet]
    NativeRouter -->|No| RouteACLs{Route ACLs Allow?}
    
    RouteACLs -->|Yes| Forward[Pass to Forwarder]
    RouteACLs -->|No| Drop3[Drop Packet]
Loading

Example tracer output:

$ netbird debug trace in 100.64.31.206 1.1.1.1 -p tcp --dport 80

Packet trace 100.64.31.206:54435 -> 1.1.1.1:80 (TCP)

Received: Received TCP packet: 100.64.31.206:54435 -> 1.1.1.1:80
Connection Tracking: No existing connection found
Routing: Routing enabled, checking ACLs
Route ACL: Allowed by route ACLs
Forwarding: Forwarding to proxy-remote [proxy-remote to 1.1.1.1:80]
Completed: Processing completed

Final disposition: ALLOWED

Issue ticket number and link

Checklist

  • Is it a bug fix
  • Is a typo/documentation fix
  • Is a feature enhancement
  • It is a refactor
  • Created tests that fail without the change (if possible)
  • Extended the README / documentation, if necessary

@lixmal lixmal mentioned this pull request Jan 2, 2025
Open
@netbirdio netbirdio deleted a comment from Silex Jan 3, 2025
@lixmal lixmal marked this pull request as ready for review January 3, 2025 16:23
@lixmal lixmal mentioned this pull request Jan 4, 2025
Open
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Jan 7, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
3 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.6% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lixmal