Documentation
¶
Overview ¶
Package firewalld integrates with the firewalld daemon so NetBird can place its wg interface into firewalld's "trusted" zone. This is required because firewalld's nftables chains are created with NFT_CHAIN_OWNER on recent versions, which returns EPERM to any other process that tries to insert rules into them. The workaround mirrors what Tailscale does: let firewalld itself add the accept rules to its own chains by trusting the interface.
Index ¶
Constants ¶
const TrustedZone = "trusted"
TrustedZone is the firewalld zone name used for interfaces whose traffic should bypass firewalld filtering.
Variables ¶
This section is empty.
Functions ¶
func SetParentContext ¶
SetParentContext installs a parent context whose cancellation aborts any in-flight TrustInterface call. It does not affect UntrustInterface, which always uses a fresh Background-rooted timeout so cleanup can still run during engine shutdown when the engine context is already cancelled.
func TrustInterface ¶
TrustInterface places iface into firewalld's trusted zone if firewalld is running. It is idempotent and best-effort: errors are returned so callers can log, but a non-running firewalld is not an error. Only the first successful call per process logs at Info. Respects the parent context set via SetParentContext so startup-time cancellation unblocks it.
func UntrustInterface ¶
UntrustInterface removes iface from firewalld's trusted zone if firewalld is running. Idempotent. Uses a Background-rooted timeout so it still runs during shutdown after the engine context has been cancelled.
Types ¶
This section is empty.
Source Files