Netbird API accepts policies with multiple rules, but ignores all rules except the first.

[Chilinot]

Describe the problem

The Netbird API specifies that you can create policies with multiple rules. However if you try and do this, netbird will create the policy but only apply the first rule in the list, ignoring the rest. No error is returned to the user.

To Reproduce

1. Send this JSON payload to the API:

{
    "description": "Access rules for the DBA team",
    "enabled": true,
    "name": "database-admins",
    "rules": [
        {
            "action": "accept",
            "bidirectional": true,
            "description": "Allow accessing PostgreSQL servers",
            "enabled": true,
            "name": "PostgreSQL",
            "ports": [
                "5432"
            ],
            "protocol": "tcp",
            "source_groups": [
                "cvhicgaqfhcs73cg8650"
            ],
            "target_groups": [
                "cvhqklaqfhcs73cfdpj0"
            ]
        },
        {
            "name": "second rule",
            "description": "This rule will be ignored by the API",
            "action": "accept",
            "bidirectional": true,
            "enabled": true,
            "ports": [
                "22"
            ],
            "protocol": "tcp",
            "source_groups": [
                "foobar"
            ],
            "target_groups": [
                "qwerty"
            ]
        }
    ]
}

2. You get the following in response:

{
    "description": "Access rules for the DBA team",
    "enabled": true,
    "id": "cvihva2qfhcs73e21tb0",
    "name": "database-admins",
    "rules": [
        {
            "action": "accept",
            "bidirectional": true,
            "description": "Allow accessing PostgreSQL servers",
            "destinations": [
                {
                    "id": "cvhqklaqfhcs73cfdpj0",
                    "name": "res-dev-postgresql",
                    "peers_count": 0,
                    "resources_count": 0
                }
            ],
            "enabled": true,
            "id": "cvihva2qfhcs73e21tb0",
            "name": "PostgreSQL",
            "ports": [
                "5432"
            ],
            "protocol": "tcp",
            "sources": [
                {
                    "id": "cvhicgaqfhcs73cg8650",
                    "name": "eng-dba",
                    "peers_count": 0,
                    "resources_count": 0
                }
            ]
        }
    ],
    "source_posture_checks": null
}

Expected behavior

That the API either returns a 400 error indicating that this is incorrect. Or that both rules are applied to the policy.

Are you using NetBird Cloud?

Self hosting.

NetBird version

Management service version: 0.38.2

Is any other VPN software installed?

No

Debug output

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Have you tried these troubleshooting steps?

• Checked for newer NetBird versions
• Searched for similar issues on GitHub (including closed ones)
• Restarted the NetBird client
• Disabled other VPN software
• Checked firewall settings

[nazarewk]

The rest of the system doesn't support anything except a single rule, we need to add validation here.

[mbrav]

I just noticed this as well. Could someone clarify whether the current API structure—where a Policy supports multiple Rules—is intended for future compatibility, possibly to allow multiple Rules per Policy?

I'm asking because I'm currently developing a native Netbird provider for Pulumi, and I've found that the Policy resource is by far the most complex data structure to implement correctly.

Specifically, it would be helpful to know whether the policy at index 0 is always the only one used. If that’s the case, I could simplify the implementation by mapping the rules list field to a single rule dict field.

Otherwise, should I continue designing for the possibility that multiple rules per policy will be supported in the future?

cc @nazarewk

[Chilinot]

It's quite strange, and i wonder if it's more of a bug in the backend. Because i have been reading through the source code of the management server. And the API for the policies is written in a way that supports multiple rules in a policy. All functions surrounding that part of the API is written to support multiple rules. So i wonder where the limitation stems from. Where is the part that drops all other rules than the first?

I have not checked the parts where policies are applied to connections, so perhaps there's a limitation there that blocks the support of multiple rules per policy.

[nazarewk]

@mbrav we are working on an official Terraform Provider that might catch your interest https://github.com/netbirdio/terraform-provider-netbird

I have asked the dev team about it:

• the Dashboard was never prepared for handling more than 1 rule,
• adding more than 1 rule was previously causing crashes somewhere in the stack, but the cause was never written down or fully investigated, so there is no single place to point to.

As it stands now, we will be adding a note in the documentation discouraging the use of multiple rules, but we will very likely investigate the issue and implement the support for multiple rules at some point in the future.

[mbrav]

Hi @nazarewk, thanks for the clarification!

The Dashboard was never prepared for handling more than 1 rule

That definitely seems to be the case, as the current Dashboard UI doesn't indicate that a Policy can support multiple rules.

Regarding the official Terraform provider — that's great news. I'm currently working on a Pulumi provider, since my organization adopted Pulumi about a year ago and is now migrating our corporate VPN solution to Netbird.

Given that an official Terraform provider is in the works, I’d be open to building a Pulumi module by bridging it using pulumi-terraform-bridge. That’s actually the approach used for most Pulumi providers, including AWS and pretty much all popular providers.