[client] Add block lan access flag for routers (#3171)

netbirdio · Jan 15, 2025 · 78795a4 · 78795a4
1 parent 5a82477
commit 78795a4
Show file tree

Hide file tree

Showing 9 changed files with 475 additions and 343 deletions.
diff --git a/client/cmd/root.go b/client/cmd/root.go
@@ -38,6 +38,7 @@ const (
 	extraIFaceBlackListFlag = "extra-iface-blacklist"
 	dnsRouteIntervalFlag    = "dns-router-interval"
 	systemInfoFlag          = "system-info"
+	blockLANAccessFlag      = "block-lan-access"
 )
 
 var (
@@ -73,6 +74,7 @@ var (
 	anonymizeFlag           bool
 	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration
+	blockLANAccess          bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",

diff --git a/client/cmd/up.go b/client/cmd/up.go
@@ -48,6 +48,7 @@ func init() {
 	)
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
+	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false, "Block access to local networks (LAN) when using this peer as a router or exit node")
 }
 
 func upFunc(cmd *cobra.Command, args []string) error {
@@ -160,6 +161,10 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		ic.DisableFirewall = &disableFirewall
 	}
 
+	if cmd.Flag(blockLANAccessFlag).Changed {
+		ic.BlockLANAccess = &blockLANAccess
+	}
+
 	providedSetupKey, err := getSetupKey()
 	if err != nil {
 		return err
@@ -290,6 +295,10 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		loginRequest.DisableFirewall = &disableFirewall
 	}
 
+	if cmd.Flag(blockLANAccessFlag).Changed {
+		loginRequest.BlockLanAccess = &blockLANAccess
+	}
+
 	var loginErr error
 
 	var loginResp *proto.LoginResponse

diff --git a/client/internal/config.go b/client/internal/config.go
@@ -66,6 +66,8 @@ type ConfigInput struct {
 	DisableServerRoutes *bool
 	DisableDNS          *bool
 	DisableFirewall     *bool
+
+	BlockLANAccess *bool
 }
 
 // Config Configuration type
@@ -89,6 +91,8 @@ type Config struct {
 	DisableDNS          bool
 	DisableFirewall     bool
 
+	BlockLANAccess bool
+
 	// SSHKey is a private SSH key in a PEM format
 	SSHKey string
 
@@ -455,6 +459,16 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.BlockLANAccess != nil && *input.BlockLANAccess != config.BlockLANAccess {
+		if *input.BlockLANAccess {
+			log.Infof("blocking LAN access")
+		} else {
+			log.Infof("allowing LAN access")
+		}
+		config.BlockLANAccess = *input.BlockLANAccess
+		updated = true
+	}
+
 	if input.ClientCertKeyPath != "" {
 		config.ClientCertKeyPath = input.ClientCertKeyPath
 		updated = true

diff --git a/client/internal/connect.go b/client/internal/connect.go
@@ -420,6 +420,8 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		DisableServerRoutes: config.DisableServerRoutes,
 		DisableDNS:          config.DisableDNS,
 		DisableFirewall:     config.DisableFirewall,
+
+		BlockLANAccess: config.BlockLANAccess,
 	}
 
 	if config.PreSharedKey != "" {

diff --git a/client/internal/engine.go b/client/internal/engine.go
@@ -16,12 +16,14 @@ import (
 	"sync/atomic"
 	"time"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/pion/ice/v3"
 	"github.com/pion/stun/v2"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/protobuf/proto"
 
+	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
 	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
@@ -114,6 +116,8 @@ type EngineConfig struct {
 	DisableServerRoutes bool
 	DisableDNS          bool
 	DisableFirewall     bool
+
+	BlockLANAccess bool
 }
 
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -482,6 +486,10 @@ func (e *Engine) initFirewall() error {
 		}
 	}
 
+	if e.config.BlockLANAccess {
+		e.blockLanAccess()
+	}
+
 	if e.rpManager == nil || !e.config.RosenpassEnabled {
 		return nil
 	}
@@ -508,6 +516,35 @@ func (e *Engine) initFirewall() error {
 	return nil
 }
 
+func (e *Engine) blockLanAccess() {
+	var merr *multierror.Error
+
+	// TODO: keep this updated
+	toBlock, err := getInterfacePrefixes()
+	if err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("get local addresses: %w", err))
+	}
+
+	log.Infof("blocking route LAN access for networks: %v", toBlock)
+	v4 := netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+	for _, network := range toBlock {
+		if _, err := e.firewall.AddRouteFiltering(
+			[]netip.Prefix{v4},
+			network,
+			manager.ProtocolALL,
+			nil,
+			nil,
+			manager.ActionDrop,
+		); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("add fw rule for network %s: %w", network, err))
+		}
+	}
+
+	if merr != nil {
+		log.Warnf("encountered errors blocking IPs to block LAN access: %v", nberrors.FormatErrorOrNil(merr))
+	}
+}
+
 // modifyPeers updates peers that have been modified (e.g. IP address has been changed).
 // It closes the existing connection, removes it from the peerConns map, and creates a new one.
 func (e *Engine) modifyPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
@@ -1689,3 +1726,45 @@ func isChecksEqual(checks []*mgmProto.Checks, oChecks []*mgmProto.Checks) bool {
 		return slices.Equal(checks.Files, oChecks.Files)
 	})
 }
+
+func getInterfacePrefixes() ([]netip.Prefix, error) {
+	ifaces, err := net.Interfaces()
+	if err != nil {
+		return nil, fmt.Errorf("get interfaces: %w", err)
+	}
+
+	var prefixes []netip.Prefix
+	var merr *multierror.Error
+
+	for _, iface := range ifaces {
+		addrs, err := iface.Addrs()
+		if err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("get addresses for interface %s: %w", iface.Name, err))
+			continue
+		}
+		for _, addr := range addrs {
+			ipNet, ok := addr.(*net.IPNet)
+			if !ok {
+				merr = multierror.Append(merr, fmt.Errorf("cast address to IPNet: %v", addr))
+				continue
+			}
+			addr, ok := netip.AddrFromSlice(ipNet.IP)
+			if !ok {
+				merr = multierror.Append(merr, fmt.Errorf("cast IPNet to netip.Addr: %v", ipNet.IP))
+				continue
+			}
+			ones, _ := ipNet.Mask.Size()
+			prefix := netip.PrefixFrom(addr.Unmap(), ones).Masked()
+			ip := prefix.Addr()
+
+			// TODO: add IPv6
+			if !ip.Is4() || ip.IsLoopback() || ip.IsMulticast() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+				continue
+			}
+
+			prefixes = append(prefixes, prefix)
+		}
+	}
+
+	return prefixes, nberrors.FormatErrorOrNil(merr)
+}