Fix cross-cell ICMP routing: state-based cell DROP + e2e test

The cell catch-all DROP rule blocked all traffic from a connected cell's subnet, including ESTABLISHED/RELATED packets (ICMP replies, TCP ACKs) for connections initiated by local VPN peers. This broke ping to the remote cell's WireGuard IP even when the cell-to-cell tunnel was healthy. Change the DROP to match only NEW,INVALID connections so established reply traffic passes through to the stateful ACCEPT rule. Also adds tests/e2e/wg/test_cell_to_cell_routing.py — an end-to-end test that brings up a real WireGuard tunnel from the test runner to pic1 and verifies full cross-cell routing including ICMP ping, API /health, and Caddy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-05 10:59:11 -04:00
parent 5a4e292440
commit 1e1bda4679
2 changed files with 308 additions and 1 deletions
@@ -363,8 +363,12 @@ def apply_cell_rules(cell_name: str, vpn_subnet: str, inbound_services: List[str
        tag = _cell_tag(cell_name)
        clear_cell_rules(cell_name)

-        # Catch-all DROP — inserted first so it ends up at the bottom
+        # Catch-all DROP for new connections only — inserted first so it ends up at the bottom.
+        # Using state=NEW,INVALID preserves ESTABLISHED/RELATED packets (ICMP replies,
+        # TCP ACKs) for connections initiated by local peers to this cell, which would
+        # otherwise be dropped before reaching the stateful ACCEPT rule.
        _iptables(['-I', 'FORWARD', '-s', vpn_subnet,
+                   '-m', 'state', '--state', 'NEW,INVALID',
                   '-m', 'comment', '--comment', tag, '-j', 'DROP'])

        # Exit relay ACCEPT — allow internet-bound traffic from this cell's peers.