[client] Add non-root ICMP support to userspace firewall forwarder

[lixmal]

Describe your changes

• Use the ping binary if we cannot create raw sockets
• Bump gvisor/netstack to fix duplicate echo replies (this also bumps the min Go version)
• Bump wireguard-go fork to work with the new gvisor
• Adjust forwarder to work with new netstack code
• Adjust ice_bind to work with new wireguard-go code
• Fix a bug where waiting for echo replies would block all other packets

Depends on netbirdio/wireguard-go#12

Issue ticket number and link

Stack

Checklist

• Is it a bug fix
• Is a typo/documentation fix
• Is a feature enhancement
• It is a refactor
• Created tests that fail without the change (if possible)

By submitting this pull request, you confirm that you have read and agree to the terms of the Contributor License Agreement.

Documentation

Select exactly one:

• I added/updated documentation for this change
• Documentation is not needed for this change (explain why)

Docs PR URL (required if "docs added" is checked)

Paste the PR link from https://github.com/netbirdio/docs here:

https://github.com/netbirdio/docs/pull/__

Summary by CodeRabbit

Release Notes

• New Features

  • Enhanced ICMP packet handling with improved forwarding capabilities and redundant processing paths for better network reliability.

• Dependencies

  • Updated core dependencies: gRPC (v1.75.1), OpenTelemetry instrumentation, and Google Cloud libraries to latest stable versions for improved performance and security.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR restructures ICMP and UDP packet handling in the forwarder module. It introduces atomic operations for endpoint MTU management, adds raw ICMP socket capability detection with a ping-based fallback, implements asynchronous Echo request processing, modifies UDP handler return semantics, updates network binding to support generic receivers, adds logging utilities, and upgrades dependencies.

Changes

Cohort / File(s)	Summary
Endpoint lifecycle & atomicity client/firewall/uspfilter/forwarder/endpoint.go	MTU field converted to atomic.Uint32; MTU() getter now uses atomic Load(); new lifecycle methods added: Close(), SetLinkAddress(), SetMTU(), and SetOnCloseAction() (mostly no-ops except SetMTU).
Forwarder initialization & ICMP capability detection client/firewall/uspfilter/forwarder/forwarder.go	Forwarder struct expanded with hasRawICMPAccess (bool) and pingSemaphore (buffered channel); new checkICMPCapability() method probes raw ICMP socket access during init with timeout; pingSemaphore initialized with buffer size 3.
ICMP protocol handling rework client/firewall/uspfilter/forwarder/icmp.go	handleICMP signature changed (value → pointer receiver); Echo requests delegated to new handleICMPEcho with async dispatch; new forwardICMPPacket() creates raw ICMP sockets; handleICMPViaSocket() for raw socket path; handleICMPViaPing() for command-based fallback with synthesized replies; new helpers: buildPingCommand(), synthesizeEchoReply(), injectICMPReply(); expanded imports (fmt, os/exec, runtime).
UDP protocol handler client/firewall/uspfilter/forwarder/udp.go	handleUDP now returns bool (success/failure); all error paths and race conditions now return explicit boolean values; gonet.NewUDPConn signature updated (removed stack parameter); io import added; isClosedError extended to treat io.EOF as terminal.
Logging enhancements client/firewall/uspfilter/log/log.go	New Warn4() method (mirrors Warn3) accepts four arguments for non-blocking log message enqueuing at LevelWarn.
Network binding receiver creation client/iface/bind/ice_bind.go	CreateIPv4ReceiverFn replaced with generic CreateReceiverFn accepting wgConn.BatchReader; dispatches to IPv4 path if BatchReader is *ipv4.PacketConn, otherwise uses fallback UDP-based receiver.
Dependency updates go.mod	grpc v1.73.0 → v1.75.1; otel/otelgrpc/metric updated to v1.37.0/v0.61.0; google.golang.org/api v0.177.0 → v0.249.0; net/http instrumentation migrated to contrib paths; cloud.google.com/go/auth updated to v0.16.5; gvisor to 2025 timestamp; wireguard replacement updated; removed/replaced deprecated opencensus references.

Sequence Diagrams

sequenceDiagram
    autonumber
    participant Client
    participant Forwarder
    participant ICMP as ICMP Handler
    participant RawSocket as Raw Socket Path
    participant PingCmd as Ping Command Path
    participant Stack as Netstack

    Client->>Forwarder: Packet arrives (Echo request)
    Forwarder->>ICMP: handleICMP(id, pkt)
    alt Echo Request
        ICMP->>ICMP: handleICMPEcho()
        alt hasRawICMPAccess == true
            ICMP->>RawSocket: handleICMPViaSocket()
            RawSocket->>RawSocket: forwardICMPPacket() create raw socket
            RawSocket->>RawSocket: Send ICMP payload
            RawSocket->>RawSocket: handleEchoResponse() receive reply
            RawSocket->>ICMP: injectICMPReply()
            ICMP->>Stack: Inject synthesized reply
        else hasRawICMPAccess == false
            ICMP->>PingCmd: handleICMPViaPing()
            PingCmd->>PingCmd: buildPingCommand() construct OS command
            PingCmd->>PingCmd: Execute ping, capture RTT
            PingCmd->>PingCmd: synthesizeEchoReply()
            PingCmd->>ICMP: injectICMPReply()
            ICMP->>Stack: Inject synthesized reply
        end
    else Non-Echo Type
        ICMP->>RawSocket: forwardICMPPacket() if raw access available
        alt Success
            RawSocket-->>ICMP: PacketConn returned
        else Fallback
            ICMP->>Stack: Forward or drop
        end
    end
    ICMP-->>Client: Reply or forwarded packet

Loading

sequenceDiagram
    autonumber
    participant UDP as UDP Handler
    participant Dial as Dial Flow
    participant Endpoint as Endpoint
    participant Proxy as Proxy Loop

    UDP->>Dial: handleUDP(request)
    alt Context cancelled
        Dial-->>UDP: return false
    else New connection
        Dial->>Dial: Set endpoint MTU (atomic.Store)
        Dial->>Endpoint: gonet.NewUDPConn() without stack param
        alt Success
            Endpoint-->>Dial: Connection created
            Dial-->>UDP: return true
            UDP->>Proxy: Spawn proxy goroutine
        else Error
            Dial-->>UDP: return false
        end
    else Existing connection (race)
        Dial-->>UDP: return true
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Areas requiring extra attention:

• ICMP handling rework: Multiple new execution paths (raw socket vs. ping fallback) with asynchronous dispatch; verify correctness of synthesized ICMP replies and proper resource cleanup (socket closure, goroutine lifecycle).
• Atomic operations on MTU: Confirm thread-safe access patterns across all call sites, especially in the forwarder initialization and packet handling loops.
• UDP signature changes: Verify all boolean return paths are correctly implemented; check error handling consistency and whether callers properly handle the new return values.
• Dependency updates: Cross-check transitive dependency changes, especially otel/grpc/google.golang.org/api versions for breaking changes or behavior shifts.
• ICMP capability detection: Test checkICMPCapability timeout and edge cases; verify hasRawICMPAccess state is correctly referenced in hot paths.

Suggested reviewers

• mlsmaycon

Poem

🐰 With atomic hops and ICMP grace,
New sockets race, or ping finds place,
Endpoints close with careful care,
UDP's booleans, truth laid bare,
The forwarder flows both fast and free! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 28.57% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main objective: adding non-root ICMP support via ping binary fallback to the userspace firewall forwarder.
Description check	✅ Passed	The PR description covers key changes, includes checklist completion, explains why documentation isn't needed, and follows the template structure mostly.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch forwarder-ping

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca21a98 and b0daf24.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• go.mod (7 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: lixmal
Repo: netbirdio/netbird PR: 4792
File: client/firewall/uspfilter/forwarder/icmp.go:32-48
Timestamp: 2025-11-15T14:46:06.743Z
Learning: In the netbird userspace firewall forwarder (client/firewall/uspfilter/forwarder/), the boolean return value from ICMP/UDP handlers indicates packet ownership to netstack: `true` means "I handled this packet, don't process it further" and `false` means "I didn't handle it, netstack should handle it". This is used to prevent netstack from generating its own replies even when forwarding fails.

Learnt from: lixmal
Repo: netbirdio/netbird PR: 4792
File: client/firewall/uspfilter/forwarder/icmp.go:32-48
Timestamp: 2025-11-16T19:27:08.018Z
Learning: In the netbird userspace firewall forwarder (client/firewall/uspfilter/forwarder/), flow events (TypeStart/TypeEnd) are only sent for ICMP echo requests/replies to track the complete bidirectional flow. Other ICMP types (Time Exceeded, Destination Unreachable, etc.) only get a TypeStart event without a corresponding TypeEnd event, as they are typically one-way notifications that don't require complete lifecycle tracking.

Learnt from: lixmal
Repo: netbirdio/netbird PR: 4777
File: client/firewall/iptables/acl_linux.go:439-450
Timestamp: 2025-11-13T15:19:32.799Z
Learning: In the netbird client firewall iptables implementation (client/firewall/iptables/), IPv6 is not currently handled or supported.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (14)

• GitHub Check: release_ui
• GitHub Check: release
• GitHub Check: release_ui_darwin
• GitHub Check: JS / Lint
• GitHub Check: Client / Unit
• GitHub Check: Client / Unit
• GitHub Check: Build Cache
• GitHub Check: Client / Unit
• GitHub Check: Android / Build
• GitHub Check: Linux
• GitHub Check: Windows
• GitHub Check: Darwin
• GitHub Check: iOS / Build
• GitHub Check: Check External GPL/AGPL Licenses

🔇 Additional comments (3)

go.mod (3)

3-3: Verify Go 1.24.10 minimum version requirement is intentional.

Go 1.24.10 was released 2025-11-05, which is very recent. This aligns with the PR objective to raise the minimum Go version due to the gvisor/netstack bump (Line 121). Confirm this version requirement is intentional and that no older Go versions in your support matrix need to be maintained.

---

99-103: Coordinated dependency updates for ICMP and telemetry infrastructure.

The dependency bumps are well-coordinated and aligned with PR objectives:

• gvisor updated to a 2025 timestamp-based version, addressing the duplicate echo replies bug mentioned in PR objectives
• Wireguard-go fork bumped to a version compatible with gvisor changes (Line 265)
• OpenTelemetry packages (core and instrumentation) updated to consistent versions (v1.37.0 and v0.61.0), which is appropriate for structured logging/observability
• google.golang.org/api bumped from v0.177.0 to v0.249.0 (Line 115)

The google.golang.org/api jump is significant. Verify there are no breaking changes affecting your codebase or existing API integrations.

Also applies to: 115-115, 121-121, 248-250

---

25-25: Infrastructure and support library updates are well-aligned.

Secondary dependency bumps (grpc, creack/pty, google.golang.org/genproto/googleapis/rpc, cloud.google.com/go/auth, googleapis utilities) are appropriately coordinated with the primary updates. These support the broader infrastructure refresh and maintain compatibility across the stack.

Also applies to: 43-43, 125-127, 173-173, 183-185, 256-256

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

client/firewall/uspfilter/forwarder/icmp.go (1)

57-65: Consider adding panic recovery to the goroutine.

If handleICMPViaSocket or handleICMPViaPing panic, the goroutine will crash silently. Consider adding a deferred panic recovery handler to log any unexpected panics.

Apply this diff to add panic recovery:

 		go func() {
 			defer func() { <-f.pingSemaphore }()
+			defer func() {
+				if r := recover(); r != nil {
+					f.logger.Error1("forwarder: Panic in ICMP echo handler: %v", r)
+				}
+			}()
 
 			if f.hasRawICMPAccess {
 				f.handleICMPViaSocket(flowID, id, icmpHdr, icmpData, rxBytes)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e7d5cdc and 099870d.

📒 Files selected for processing (1)

• client/firewall/uspfilter/forwarder/icmp.go (4 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: lixmal
Repo: netbirdio/netbird PR: 4777
File: client/firewall/iptables/acl_linux.go:439-450
Timestamp: 2025-11-13T15:19:32.799Z
Learning: In the netbird client firewall iptables implementation (client/firewall/iptables/), IPv6 is not currently handled or supported.

🧬 Code graph analysis (1)

client/firewall/uspfilter/forwarder/icmp.go (1)

client/firewall/uspfilter/forwarder/forwarder.go (2)

• Forwarder (35-49)
• New (51-140)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (32)

• GitHub Check: Management / Benchmark (amd64, postgres)
• GitHub Check: Management / Benchmark (amd64, sqlite)
• GitHub Check: Signal / Unit (amd64)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Signal / Unit (386)
• GitHub Check: Management / Benchmark (API) (amd64, postgres)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Management / Integration (amd64, sqlite)
• GitHub Check: Management / Benchmark (API) (amd64, sqlite)
• GitHub Check: Management / Integration (amd64, postgres)
• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Client / Unit (386)
• GitHub Check: Client / Unit (amd64)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: test-docker-compose (mysql)
• GitHub Check: test-docker-compose (postgres)
• GitHub Check: test-docker-compose (sqlite)
• GitHub Check: test-getting-started-script
• GitHub Check: Client / Unit
• GitHub Check: Windows
• GitHub Check: Linux
• GitHub Check: Darwin
• GitHub Check: release_ui
• GitHub Check: release_ui_darwin
• GitHub Check: release
• GitHub Check: iOS / Build
• GitHub Check: Client / Unit
• GitHub Check: JS / Lint
• GitHub Check: Android / Build
• GitHub Check: Client / Unit

🔇 Additional comments (8)

client/firewall/uspfilter/forwarder/icmp.go (8)

5-9: LGTM! Necessary imports for ping fallback.

The new imports support the ping binary fallback mechanism and platform-specific command construction.

---

20-48: LGTM! Clean separation of echo and non-echo ICMP handling.

The refactored logic properly delegates echo requests to asynchronous handling and forwards non-echo ICMP types when raw socket access is available.

---

73-99: LGTM! Proper resource management.

The function correctly creates a raw ICMP socket, sends the packet, and handles errors appropriately. The caller is responsible for closing the returned connection as documented.

---

125-141: LGTM! Proper timeout and buffer sizing.

The function correctly sets a read deadline and sizes the response buffer using the atomic MTU value.

---

233-245: LGTM! Correct ICMP echo reply synthesis.

The function properly creates an echo reply by copying the data, changing the type, and recalculating the checksum following the standard ICMP checksum algorithm.

---

247-272: LGTM! Proper IP header construction and injection.

The function correctly constructs an IPv4 header, wraps the ICMP payload, and bypasses the netstack to avoid re-processing by the ICMP handler. The TTL value of 64 is appropriate for local responses.

---

195-196: The Warn4 logger method exists and is properly implemented.

Verification confirms that Warn4 has been added to the Logger type at client/firewall/uspfilter/log/log.go:171 with the correct signature supporting four arguments. The method call at line 195-196 is valid.

---

212-231: The original review comment's reasoning is fundamentally incorrect.

The review claims -t is TTL on macOS/BSD, but macOS uses -t <timeout> to specify timeout in seconds and FreeBSD uses -t <timeout> for timeout in seconds. The current code is correct for both platforms.

However, there IS a real issue: OpenBSD uses -w <maxwait>, not -t (which is TTL on OpenBSD), and NetBSD uses -w <deadline> for timeout. The current code incorrectly groups all three BSD variants together on line 225, which fails for OpenBSD and NetBSD.

The correct fix requires splitting BSD platforms:

• FreeBSD: keep -t
• OpenBSD: change to -w
• NetBSD: change to -w

The original review's suggested fix is partially correct by accident but based on false premises.

Likely an incorrect or invalid review comment.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

client/firewall/uspfilter/forwarder/icmp.go (2)

101-123: Send TypeEnd event on error to complete flow tracking.

When forwardICMPPacket fails at line 107, the function returns early without sending a TypeEnd event. This leaves the flow incomplete with only a TypeStart event.

Apply this diff to send an end event on error:

 	conn, err := f.forwardICMPPacket(id, payload, icmpHdr, 5*time.Second)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to send ICMP packet for %v: %v", epID(id), err)
+		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), uint64(rxBytes), 0)
 		return
 	}

---

184-210: Send TypeEnd event on error to complete flow tracking.

When the ping binary fails at line 194, the function returns without sending a TypeEnd event, leaving the flow incomplete.

Apply this diff to send an end event on error:

 	pingStart := time.Now()
 	if err := cmd.Run(); err != nil {
 		f.logger.Warn4("forwarder: Ping binary failed for %v type %v code %v: %v", epID(id),
 			icmpHdr.Type(), icmpHdr.Code(), err)
+		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), uint64(rxBytes), 0)
 		return
 	}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 099870d and ca21a98.

📒 Files selected for processing (2)

• client/firewall/uspfilter/forwarder/icmp.go (4 hunks)
• client/firewall/uspfilter/forwarder/udp.go (8 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: lixmal
Repo: netbirdio/netbird PR: 4777
File: client/firewall/iptables/acl_linux.go:439-450
Timestamp: 2025-11-13T15:19:32.799Z
Learning: In the netbird client firewall iptables implementation (client/firewall/iptables/), IPv6 is not currently handled or supported.

🧬 Code graph analysis (2)

client/firewall/uspfilter/forwarder/udp.go (1)

client/firewall/uspfilter/forwarder/forwarder.go (1)

• Forwarder (35-49)

client/firewall/uspfilter/forwarder/icmp.go (1)

client/firewall/uspfilter/forwarder/forwarder.go (2)

• Forwarder (35-49)
• New (51-140)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (30)

• GitHub Check: Client / Unit (amd64)
• GitHub Check: Relay / Unit (386)
• GitHub Check: Management / Benchmark (API) (amd64, postgres)
• GitHub Check: Management / Unit (amd64, mysql)
• GitHub Check: Management / Benchmark (API) (amd64, sqlite)
• GitHub Check: Relay / Unit (amd64, -race)
• GitHub Check: Management / Integration (amd64, postgres)
• GitHub Check: Management / Integration (amd64, sqlite)
• GitHub Check: Management / Unit (amd64, sqlite)
• GitHub Check: Signal / Unit (amd64)
• GitHub Check: Management / Benchmark (amd64, sqlite)
• GitHub Check: Management / Unit (amd64, postgres)
• GitHub Check: Management / Benchmark (amd64, postgres)
• GitHub Check: Signal / Unit (386)
• GitHub Check: Client / Unit (386)
• GitHub Check: Client (Docker) / Unit
• GitHub Check: release_ui_darwin
• GitHub Check: release_ui
• GitHub Check: release
• GitHub Check: Client / Unit
• GitHub Check: Android / Build
• GitHub Check: test-docker-compose (sqlite)
• GitHub Check: test-docker-compose (mysql)
• GitHub Check: test-getting-started-script
• GitHub Check: test-docker-compose (postgres)
• GitHub Check: JS / Lint
• GitHub Check: Client / Unit
• GitHub Check: Darwin
• GitHub Check: Linux
• GitHub Check: Windows

🔇 Additional comments (4)

client/firewall/uspfilter/forwarder/udp.go (2)

352-354: Good addition of io.EOF to closed-error detection.

Treating io.EOF as a terminal condition in isClosedError is appropriate, as EOF signals a closed connection and should not be logged as an unexpected error.

---

180-180: Signature change verified and correct.

The web search confirms that gonet.NewUDPConn in the upgraded gvisor/netstack has signature func NewUDPConn(wq *waiter.Queue, ep tcpip.Endpoint) *UDPConn. The code at line 180 (gonet.NewUDPConn(&wq, ep)) correctly matches this signature, with the stack parameter properly removed as part of the netstack upgrade.

client/firewall/uspfilter/forwarder/icmp.go (2)

247-272: Good implementation of ICMP reply injection.

The injectICMPReply method correctly:

• Constructs a proper IPv4 header with appropriate fields
• Calculates and sets the IP checksum
• Bypasses netstack to avoid looping through the ICMP handler
• Returns the injected size for flow tracking

---

212-231: I need to verify the flags across all platforms mentioned. The web search already revealed important information about macOS that contradicts the review comment. Let me search for the other platforms:

Based on my verification, the review comment contains fundamental inaccuracies regarding the macOS ping flags.

The review comment is incorrect and should be disregarded.

Evidence from official documentation:

• Linux/Android: -W specifies time to wait for a response in seconds, with -w setting the timeout for the entire program session. The code correctly uses -W for timeout.

• FreeBSD/OpenBSD/NetBSD: -t specifies a timeout in seconds before ping exits. The code correctly uses -t for timeout on these platforms.

• Windows: -w sets timeout in milliseconds. The code correctly multiplies timeoutSec by 1000 to convert to milliseconds.

• macOS/iOS: The review's claim is incorrect. From the earlier web search, -t timeout on macOS is "overall timeout in seconds before ping exits regardless of packets received." The code correctly uses -t with timeout in seconds. The review mistakenly claims -t is TTL and suggests using -W, but on macOS, -W uses milliseconds, not seconds, which would be inconsistent with the code's handling of seconds.

The platform-specific ping flags in the code are correct and consistent with official documentation across all platforms.

Likely an incorrect or invalid review comment.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud