-
-
Notifications
You must be signed in to change notification settings - Fork 556
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[management] Account different policy rules for route firewall rules #2939
[management] Account different policy rules for route firewall rules #2939
Conversation
This change ensures that route firewall rules will consider source group peers in the rules generation for access control policies. This fixes the behavior where multiple policies with different levels of access was being applied to all peers in a distribution group
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 2 out of 2 changed files in this pull request and generated no suggestions.
Comments skipped due to low confidence (2)
management/server/route.go:454
- The check 'if pID == peerID' might be incorrect if the intention is to include the current peer in some cases. Verify if this is the intended behavior.
if pID == peerID {
management/server/route.go:422
- The iteration over 'route.AccessControlGroups' twice in the 'getPeerRoutesFirewallRules' function might be redundant. Ensure that this is necessary.
for _, accessGroup := range route.AccessControlGroups {
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should add a few more test cases, maybe in a follow-up PR
- peers in multiple source groups of the same policy
- peer in both source and access control group
- empty groups
Co-authored-by: Viktor Liu <[email protected]>
Quality Gate passedIssues Measures |
…te_change * upstream/main: (55 commits) [client] Account different policiy rules for routes firewall rules (netbirdio#2939) Add guide when signing key is not found (netbirdio#2942) [tests] Enable benchmark tests on github actions (netbirdio#2961) [management] Add performance test for login and sync calls (netbirdio#2960) [management] refactor to use account object instead of separate db calls for peer update (netbirdio#2957) [client] Code cleaning in net pkg and fix exit node feature on Android(netbirdio#2932) [management] Refactor nameserver groups to use store methods (netbirdio#2888) [management] Refactor DNS settings to use store methods (netbirdio#2883) [management] Refactor policy to use store methods (netbirdio#2878) [management] Refactor posture check to use store methods (netbirdio#2874) [client] Allow routing to fallback to exclusion routes if rules are not supported (netbirdio#2909) [client] Set up sysctl and routing table name only if routing rules are available (netbirdio#2933) [client] Test nftables for incompatible iptables rules (netbirdio#2948) [client] Don't return error in userspace mode without firewall (netbirdio#2924) Import time package (netbirdio#2940) [misc] Renew slack link (netbirdio#2938) [relay] Refactor initial Relay connection (netbirdio#2800) [management] Fix getSetupKey call (netbirdio#2927) [client] Fix allow netbird rule verdict (netbirdio#2925) [management] Add activity events to group propagation flow (netbirdio#2916) ...
Describe your changes
This fixes the behavior where multiple policies with different access levels were applied to all distribution group peers.
Now, we ensure that route firewall rules generation will consider source group peers of access control policies and apply rules to peers from these groups. Peers from the distribution group that don't belong to any source group will have their traffic dropped.
This will change behavior for existing and valid policies benefiting from this flaw.
Issue ticket number and link
Checklist