[client] Replace ipset lib

[lixmal]

Describe your changes

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• New Features

  • CI splits internal vs external license checks, adds path-triggered runs, clearer messages, and an external GPL/AGPL compatibility scan that fails on incompatible licenses.

• Bug Fixes

  • Firewall/ipset handling hardened: safer lifecycle management, lazy creation, tolerant cleanup, and improved diagnostics.

• Chores

  • Updated dependency versions and migrated to a different ipset library.

[coderabbitai]

Walkthrough

Switches ipset usage to github.com/lrh3321/ipset-go, adds unexported ipset wrapper methods for lifecycle management in firewall ACL and router modules, refines ipset error handling and IP detection, updates go.mod dependencies, and extends the GitHub Actions workflow to separate internal AGPL checks from external GPL/AGPL/LGPL checks (notes MPL-2.0).

Changes

Cohort / File(s)	Summary
Dependency update go.mod	Bumped github.com/vishvananda/netlink to v1.3.1, updated github.com/vishvananda/netns to v0.0.5, removed github.com/nadoo/ipset, and added github.com/lrh3321/ipset-go (indirect).
Firewall ACL ipset wrappers client/firewall/iptables/acl_linux.go	Replaced direct ipset usage with unexported helper methods (createIPSet, addToIPSet/addToIPSet, delFromIPSet, flushIPSet, destroyIPSet); removed global ipset.Init(); enabled lazy creation and conditional destruction of ipsets; improved error handling (distinguish ENOENT/EBUSY), updated AddPeerFiltering/DeletePeerRule/CleanChains/Reset flows, and switched to ip.IsUnspecified() for 0.0.0.0 detection.
Router ipset wrappers client/firewall/iptables/router_linux.go	Replaced direct ipset calls with new unexported methods on router (createIPSet, addPrefixToIPSet, destroyIPSet); removed ipset.Init(); updated create/delete/update flows to use wrappers and added deletion logging.
License workflow enhancement .github/workflows/check-license-dependencies.yml	Added path filters for go.mod, go.sum, and the workflow file on push/pull_request; renamed job check-dependencies → check-internal-dependencies (display name “Check Internal AGPL Dependencies”); added new job check-external-licenses (“Check External GPL/AGPL Licenses”) to scan external copyleft licenses (GPL/AGPL/LGPL), note MPL-2.0 compatibility, fail on incompatibilities with BSD-3-Clause, and clarify internal vs external messaging.

Sequence Diagram(s)

sequenceDiagram
    actor Caller
    participant ACL as aclManager
    participant Router as router
    participant Lib as ipset-go

    rect rgb(220,235,255)
    Note over Caller,ACL: AddPeerFiltering — lazy create & add
    Caller->>ACL: AddPeerFiltering(peer)
    ACL->>ACL: createIPSet(name)  -- create if missing
    ACL->>Lib: Create / Replace
    Lib-->>ACL: ok / error
    ACL->>ACL: addToIPSet(name, ip)  -- Add / AddPrefix
    ACL->>Lib: Add / AddPrefix
    Lib-->>ACL: ok / error
    ACL-->>Caller: complete
    end

    rect rgb(255,240,220)
    Note over Caller,ACL: DeletePeerRule — conditional destroy
    Caller->>ACL: DeletePeerRule(peer)
    ACL->>ACL: delFromIPSet(name, ip)
    ACL->>Lib: Del / DelPrefix
    Lib-->>ACL: remainingCount / ok / ENOENT
    alt remainingCount == 0
        ACL->>ACL: destroyIPSet(name)
        ACL->>Lib: Destroy
        Lib-->>ACL: ok / ENOENT / EBUSY
    else remainingCount > 0
        ACL-->>Caller: no destroy
    end
    ACL-->>Caller: complete
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

• Areas needing extra attention:
  • client/firewall/iptables/acl_linux.go — ipset lifecycle, concurrency, error wrapping and logging for ENOENT/EBUSY.
  • client/firewall/iptables/router_linux.go — correctness and API mapping of new router methods to ipset-go.
  • .github/workflows/check-license-dependencies.yml — path filters, job rename, new external-license job logic and exit conditions.
  • go.mod — ensure dependency versions align with ipset-go API used.

Poem

🐇 I hopped through sets and wrapped each call,
swapped a library, made errors small,
peers pruned kindly, rules tidy and clear,
workflows now check licenses far and near,
a rabbit hums — nets neat in morning's air.

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description uses the template but is largely incomplete with blank sections for changes, issue ticket, and stack; only documentation selection is filled.	Fill in 'Describe your changes' with details about the ipset lib replacement, add issue ticket information, and check the appropriate checklist item (likely 'refactor').
Docstring Coverage	⚠️ Warning	Docstring coverage is 20.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title '[client] Replace ipset lib' is specific and directly related to the main change of replacing the ipset library dependency throughout the codebase.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch replace-ipset

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3f1f244 and 50aadce.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• go.mod

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: release
• GitHub Check: release_ui
• GitHub Check: release_ui_darwin
• GitHub Check: Build Cache
• GitHub Check: JS / Lint
• GitHub Check: iOS / Build
• GitHub Check: Client / Unit
• GitHub Check: Android / Build
• GitHub Check: Linux
• GitHub Check: Windows
• GitHub Check: Darwin
• GitHub Check: Client / Unit
• GitHub Check: Client / Unit
• GitHub Check: Check External GPL/AGPL Licenses

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c282756 and 370a7b4.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• .github/workflows/check-license-dependencies.yml (2 hunks)
• client/firewall/iptables/acl_linux.go (10 hunks)
• client/firewall/iptables/router_linux.go (5 hunks)
• go.mod (3 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

client/firewall/iptables/acl_linux.go (1)

client/firewall/iptables/manager_linux.go (1)

• Create (39-61)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: Android / Build
• GitHub Check: iOS / Build
• GitHub Check: Linux
• GitHub Check: Darwin
• GitHub Check: Windows
• GitHub Check: Build Cache
• GitHub Check: Client / Unit
• GitHub Check: release
• GitHub Check: release_ui_darwin
• GitHub Check: Client / Unit
• GitHub Check: release_ui
• GitHub Check: Client / Unit
• GitHub Check: JS / Lint
• GitHub Check: Check External GPL/AGPL Licenses

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 370a7b4 and d1767fc.

📒 Files selected for processing (1)

• .github/workflows/check-license-dependencies.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (18)

• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Client / Unit (386)
• GitHub Check: Client / Unit (amd64)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: Client / Unit
• GitHub Check: Darwin
• GitHub Check: Linux
• GitHub Check: Windows
• GitHub Check: release
• GitHub Check: release_ui_darwin
• GitHub Check: Android / Build
• GitHub Check: Client / Unit
• GitHub Check: Client / Unit
• GitHub Check: JS / Lint

🔇 Additional comments (2)

.github/workflows/check-license-dependencies.yml (2)

6-14: Path filters now properly include go.sum.

This addresses the previous review feedback. The workflow will now correctly trigger on go.sum changes, catching transitive dependency updates and checksum bumps.

---

66-66: I need to gather information to verify the review comment's claims about the go install @latest pattern.

The web search limit has been reached. Let me search for more specific information about Go's @latest behavior in workflows:

Update the go-licenses version pin to a current release.

The concern about reproducibility with @latest is valid for CI/CD pipelines. However, the latest stable version is v1.6.0, not v0.2.1 as suggested. If pinning is desired, use a current version. Alternatively, the official documentation still recommends go install github.com/google/go-licenses@latest, which is acceptable given Go's module caching behavior.

Apply this diff if pinning:

-    - name: Install go-licenses
-      run: go install github.com/google/go-licenses@latest
+    - name: Install go-licenses
+      run: go install github.com/google/go-licenses@v1.6.0

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/check-license-dependencies.yml (1)

74-74: Duplicate: Unresolved—stderr masking and narrow regex pattern still present.

Two previously flagged critical issues remain unaddressed in the new external license check:

1. Line 74: 2>/dev/null silences real errors from go-licenses report, masking failures (network issues, malformed go.mod, tool crashes). The trailing || true further hides failures.

2. Line 84: The regex pattern 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]' only matches formats like GPL-2 but misses standard SPDX identifiers such as GPL-2.0-only, GPL-2.0-or-later, AGPL-3.0-only, or LGPL-2.1-only, causing false negatives.

Apply this diff to surface real errors and match SPDX identifiers:

-        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+        COPYLEFT_DEPS=$(go-licenses report ./... | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)

And:

-            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+            if echo "$license" | grep -qE 'GPL-|AGPL-|LGPL-' | grep -qv 'MPL-'; then

Also applies to: 84-84

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4de35ca and 3f1f244.

📒 Files selected for processing (2)

• .github/workflows/check-license-dependencies.yml (2 hunks)
• client/firewall/iptables/acl_linux.go (10 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

client/firewall/iptables/acl_linux.go (1)

client/firewall/iptables/manager_linux.go (1)

• Create (39-61)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (17)

• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Client / Unit (386)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Client / Unit (amd64)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: Client / Unit
• GitHub Check: Darwin
• GitHub Check: Linux
• GitHub Check: Windows
• GitHub Check: JS / Lint
• GitHub Check: release
• GitHub Check: Client / Unit
• GitHub Check: Android / Build
• GitHub Check: Client / Unit

🔇 Additional comments (2)

.github/workflows/check-license-dependencies.yml (2)

6-14: ✅ Path filters now include go.sum.

The addition of go.sum to the path filters in both push and pull_request events resolves the earlier concern about workflow not triggering on transitive dependency additions or checksum-only updates.

---

52-108: Verify importer detection logic correctly identifies BSD-licensed code boundaries.

The new external license check at lines 85–98 uses go list -json -deps to find packages that import GPL-licensed dependencies, then filters out importers under management/, signal/, or relay/ directories. However, there are a few concerns:

1. Line 86 logic: The filter select(.Imports[]? == \"$package\") assumes direct imports. Transitive imports (A → B → GPL) may not be caught, potentially missing incompatibilities.

2. Line 89 pattern matching: The grep pattern github.com/netbirdio/netbird/\(management\|signal\|relay\) assumes a specific directory structure. If there are nested packages like management/foo/bar that are not BSD-licensed, they might incorrectly pass the check.

Please verify that:

• The importer detection correctly handles both direct and transitive dependencies.
• All known BSD-licensed packages are outside the management/signal/relay directories, or that nested exceptions are properly accounted for.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
2 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud