[client] Reconcile external nft accept rules on external manager reload

[lixmal]

Describe your changes

External nftables managers can flush or recreate their tables and chains at runtime (e.g. on firewall-cmd --reload), which wipes the netbird passthrough accept rules and breaks new flows over wt0. This adds a netlink monitor that re-inserts the rules when relevant tables/chains appear.

• Add an nftables netlink monitor in the firewall manager; debounces event bursts and reconnects with exponential backoff on netlink errors
• Re-apply external-chain accept rules for both v4 and v6 routers when relevant events fire
• Make the inserts idempotent via UserData tag lookup; bail on lookup error so blind re-inserts don't accumulate duplicates
• Add unit and root-only integration tests for the monitor

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Internal firewall reconciliation behavior, no user-facing API change.

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

• New Features

  • Added Linux nftables external chain monitoring to detect and automatically reconcile firewall chains created by non-NetBird processes.
  • Implemented automatic deduplication of firewall rules to prevent duplicate accept rules when managing external filter chains.

• Tests

  • Added unit and integration test coverage for external chain monitoring and reconciliation functionality.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d26e7956-0b3c-4063-af06-f01e3b7861e1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nft-external-chain-monitor

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

client/firewall/nftables/external_chain_monitor_integration_linux_test.go (1)

45-53: Nit: drop _ = chain.

AddChain is called for its side effect of queueing the chain into the conn; the returned value isn't used. You can simply ignore it without the assignment:

🧹 Proposed cleanup

-	chain := conn.AddChain(&nftables.Chain{
+	conn.AddChain(&nftables.Chain{
 		Name:     "filter_INPUT",
 		Table:    table,
 		Hooknum:  nftables.ChainHookInput,
 		Priority: nftables.ChainPriorityFilter,
 		Type:     nftables.ChainTypeFilter,
 	})
-	_ = chain
 	require.NoError(t, conn.Flush(), "create external test chain")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@client/firewall/nftables/external_chain_monitor_integration_linux_test.go`
around lines 45 - 53, The variable `chain` is unused after calling
`conn.AddChain(...)`; remove the assignment and call
`conn.AddChain(&nftables.Chain{...})` for the side effect only (delete the `_ =
chain` line and change `chain := conn.AddChain(...)` to a plain call), leaving
the subsequent `require.NoError(t, conn.Flush(), "create external test chain")`
intact; references: AddChain, chain, conn.Flush.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@client/firewall/nftables/external_chain_monitor_integration_linux_test.go`:
- Around line 45-53: The variable `chain` is unused after calling
`conn.AddChain(...)`; remove the assignment and call
`conn.AddChain(&nftables.Chain{...})` for the side effect only (delete the `_ =
chain` line and change `chain := conn.AddChain(...)` to a plain call), leaving
the subsequent `require.NoError(t, conn.Flush(), "create external test chain")`
intact; references: AddChain, chain, conn.Flush.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7eb749ba-d28d-46df-a74f-76a24659f670

📥 Commits

Reviewing files that changed from the base of the PR and between 0c9f470 and 0ce5c3d.

📒 Files selected for processing (5)

• client/firewall/nftables/external_chain_monitor_integration_linux_test.go
• client/firewall/nftables/external_chain_monitor_linux.go
• client/firewall/nftables/external_chain_monitor_linux_test.go
• client/firewall/nftables/manager_linux.go
• client/firewall/nftables/router_linux.go

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud