Fix ICMP latency: re-anchor ESTABLISHED,RELATED to FORWARD position 1 on every health tick

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-05 18:51:38 -04:00
parent 6f84a3ffe1
commit 1b61e9e290
3 changed files with 54 additions and 21 deletions
@@ -526,9 +526,10 @@ def health_monitor_loop():
        with app.app_context():
            health_result = perform_health_check()
            health_history.appendleft(health_result)
-            
-            # Publish health check event
            service_bus.publish_event(EventType.HEALTH_CHECK, 'api', health_result)
+            # Re-anchor stateful rule every cycle: wg0 PostUp uses -I FORWARD which
+            # pushes ESTABLISHED,RELATED down below per-peer DROPs on restart.
+            firewall_manager.ensure_forward_stateful()
        time.sleep(60)  # Check every 60 seconds

 # Start health monitor thread
@@ -447,23 +447,27 @@ def apply_all_cell_rules(cell_links: List[Dict[str, Any]]) -> None:


 def ensure_forward_stateful() -> bool:
-    """Insert a stateful ESTABLISHED/RELATED ACCEPT at the top of FORWARD.
+    """Ensure ESTABLISHED/RELATED ACCEPT is at position 1 (top) of FORWARD.

    Cell rules DROP all traffic from a connected cell's subnet except specific
    service ports. Without conntrack, ICMP replies and TCP ACKs for connections
    initiated BY local peers to the connected cell are also dropped, making
    cross-cell routing (peer → cell → remote cell) broken.

-    This rule is inserted once and does not carry a peer/cell comment tag, so it
-    is never removed by clear_peer_rules or clear_cell_rules.
+    This function always deletes any existing instance and re-inserts at position 1.
+    That re-anchoring is necessary because wg0 PostUp uses -I FORWARD (insert at top),
+    which pushes this rule down every time wg0 restarts — causing ICMP to hit the
+    per-peer DROP rule before reaching the stateful ACCEPT.
    """
    try:
-        check = ['-C', 'FORWARD', '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT']
-        if _wg_exec(['iptables'] + check).returncode == 0:
-            return True  # already present
+        # Remove all existing instances so we can re-anchor at position 1.
+        # PostUp -I FORWARD rules drift this rule down on every wg0 restart.
+        while _wg_exec(['iptables', '-D', 'FORWARD', '-m', 'state',
+                        '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT']).returncode == 0:
+            pass
        _wg_exec(['iptables', '-I', 'FORWARD', '1', '-m', 'state',
                  '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT'])
-        logger.info('ensure_forward_stateful: inserted ESTABLISHED,RELATED ACCEPT into FORWARD')
+        logger.info('ensure_forward_stateful: ESTABLISHED,RELATED anchored at FORWARD position 1')
        return True
    except Exception as e:
        logger.error(f'ensure_forward_stateful: {e}')