Skip to content

WIP: Add forward tables to handle unsafe network packets distinctly from vpn network packets #1498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

WIP: Add forward tables to handle unsafe network packets distinctly from vpn network packets #1498

wants to merge 1 commit into from

Conversation

nbrownus
Copy link
Collaborator

@nbrownus nbrownus commented Oct 10, 2025
edited
Loading

This PR adds two additional firewall tables to deal distinctly with packets that have a source or destination address within an unsafe network on either the inbound or outbound.

Packets that have a source address assigned to the sender and a destination address assigned to the receiver will continue to use the inbound/outbound tables.

Packets sent to the tun device (outbound):

  • Source address matches an address assigned to the local nebula and destination address matches an address assigned to the remote nebula: outbound table
  • Source address matches an address assigned to the local nebula and destination address matches an unsafe network assigned to the remote nebula: forward_outbound table
  • Source address matches an unsafe network assigned to the local nebula and destination address matches an address assigned to the remote nebula: forward_outbound table
  • Source address matches an unsafe network assigned to the local nebula and destination address matches an unsafe network assigned to the remote nebula: forward_outbound table

Packets received by the udp listener (inbound):

  • Source address matches an address assigned to the remote nebula and destination address matches an address assigned to the local nebula: inbound table
  • Source address matches an address assigned to the remote nebula and destination address matches an unsafe network assigned to the local nebula: forward_inbound table
  • Source address matches an unsafe network assigned to the remote nebula and destination address matches an address assigned to the local nebula: forward_inbound table
  • Source address matches an unsafe network assigned to the remote nebula and destination address matches an unsafe network assigned to the local nebula: forward_inbound table

Questions:

  • Do we also need firewall.forward_inbound_action and firewall.forward_outbound_action, should they default to their existing counterparts if so?
  • Should we split metrics based on forward or collapse them into the existing inbound/outbound metrics?
  • Maybe unsafe_inbound and unsafe_outbound would be better names?
  • Should we take this opportunity to deprecate the cidr rule and alias it to remote_cidr? Or maybe even better, remote_network and local_network?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

cla:signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nbrownus