Add a way to set the network type on windows + tests (#1710)

2026-05-15 20:37:36 +02:00 · 2026-05-07 20:17:38 -05:00
parent c82db210ef
commit 696903d6d9
15 changed files with 1349 additions and 20 deletions
--- a/udp/udp_android.go
+++ b/udp/udp_android.go
@@ -5,12 +5,11 @@ package udp

 import (
 	"fmt"
+	"log/slog"
 	"net"
 	"net/netip"
 	"syscall"

-	"log/slog"
-
 	"golang.org/x/sys/unix"
 )

--- a/udp/udp_bsd.go
+++ b/udp/udp_bsd.go
@@ -8,12 +8,11 @@ package udp

 import (
 	"fmt"
+	"log/slog"
 	"net"
 	"net/netip"
 	"syscall"

-	"log/slog"
-
 	"golang.org/x/sys/unix"
 )

--- a/udp/udp_bypass_windows.go
+++ b/udp/udp_bypass_windows.go
@@ -0,0 +1,57 @@
+//go:build (amd64 || arm64) && !e2e_testing
+// +build amd64 arm64
+// +build !e2e_testing
+
+package udp
+
+import (
+	"log/slog"
+	"sync"
+
+	"github.com/slackhq/nebula/config"
+	"github.com/slackhq/nebula/wfp"
+)
+
+// wrapWithWDFBypass wraps a Conn so that the first ReloadConfig consults listen.windows_bypass_wdf
+// and installs a WFP PERMIT filter for the listener's bound UDP port. The session is released when Close runs.
+func wrapWithWDFBypass(l *slog.Logger, conn Conn) Conn {
+	return &bypassConn{Conn: conn, l: l}
+}
+
+type bypassConn struct {
+	Conn
+
+	l           *slog.Logger
+	installOnce sync.Once
+	session     *wfp.Session
+}
+
+func (b *bypassConn) ReloadConfig(c *config.C) {
+	b.installOnce.Do(func() {
+		if !c.GetBool("listen.windows_bypass_wdf", true) {
+			return
+		}
+		addr, err := b.Conn.LocalAddr()
+		if err != nil {
+			b.l.Warn("Failed to query listener port for WFP bypass", "error", err)
+			return
+		}
+		s, err := wfp.PermitUDPPort(addr.Port())
+		if err != nil {
+			b.l.Warn("Failed to install WFP bypass filters for listener", "error", err)
+			return
+		}
+		b.l.Info("Installed WFP filters bypassing Windows Defender Firewall on UDP listener port",
+			"port", addr.Port())
+		b.session = s
+	})
+	b.Conn.ReloadConfig(c)
+}
+
+func (b *bypassConn) Close() error {
+	if b.session != nil {
+		b.session.Close()
+		b.session = nil
+	}
+	return b.Conn.Close()
+}
--- a/udp/udp_bypass_windows_386.go
+++ b/udp/udp_bypass_windows_386.go
@@ -0,0 +1,11 @@
+//go:build !e2e_testing
+// +build !e2e_testing
+
+package udp
+
+import "log/slog"
+
+// wrapWithWDFBypass is a no-op on windows-386 since we don't currently build for it.
+func wrapWithWDFBypass(_ *slog.Logger, conn Conn) Conn {
+	return conn
+}
--- a/udp/udp_netbsd.go
+++ b/udp/udp_netbsd.go
@@ -7,12 +7,11 @@ package udp

 import (
 	"fmt"
+	"log/slog"
 	"net"
 	"net/netip"
 	"syscall"

-	"log/slog"
-
 	"golang.org/x/sys/unix"
 )

--- a/udp/udp_windows.go
+++ b/udp/udp_windows.go
@@ -19,13 +19,18 @@ func NewListener(l *slog.Logger, ip netip.Addr, port int, multi bool, batch int)
 		return nil, fmt.Errorf("multiple udp listeners not supported on windows")
 	}

+	var conn Conn
 	rc, err := NewRIOListener(l, ip, port)
 	if err == nil {
-		return rc, nil
+		conn = rc
+	} else {
+		l.Error("Falling back to standard udp sockets", "error", err)
+		conn, err = NewGenericListener(l, ip, port, multi, batch)
+		if err != nil {
+			return nil, err
+		}
 	}
-
-	l.Error("Falling back to standard udp sockets", "error", err)
-	return NewGenericListener(l, ip, port, multi, batch)
+	return wrapWithWDFBypass(l, conn), nil
 }

 func NewListenConfig(multi bool) net.ListenConfig {