roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: cross-cell routing for split-tunnel peers

Browse Source 
Three related fixes for split-tunnel peers that need to reach connected cells:

1. apply_peer_rules/apply_all_peer_rules now accept wg_subnet (actual local VPN
   subnet) and cell_subnets (connected cells' vpn_subnets) parameters instead of
   hardcoding 10.0.0.0/24. All callers (startup, add_peer, update_peer,
   apply-enforcement endpoint) pass the real values.

2. Explicit ACCEPT rules are inserted in FORWARD for each connected cell's
   subnet so split-tunnel peers (internet_access=False) can still reach
   connected cells via the wg0→wg0 path.

3. apply_ip_range in network_manager now loads cell_links.json and passes it
   to generate_corefile(), fixing a race where the bootstrap DNS thread could
   overwrite the Corefile and wipe cross-cell DNS forwarding zones on startup.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-05-04 14:36:28 -04:00
parent 8ee1d88e37
commit c2d215ee2e
6 changed files with 171 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/network_manager.py
+9 -2
View File
@@ -460,7 +460,8 @@ class NetworkManager(BaseServiceManager):
except Exception as e:
warnings.append(f"dnsmasq domain update failed: {e}")
# 2. Regenerate Corefile using generate_corefile so it always stays consistent
# 2. Regenerate Corefile — include cell-to-cell forwarding stanzas so a
# domain/ip_range change doesn't wipe cross-cell DNS forwarding zones.
try:
import firewall_manager as _fm
corefile = os.path.join(self.config_dir, 'dns', 'Corefile')
@@ -470,7 +471,13 @@ class NetworkManager(BaseServiceManager):
peers = _json.loads(open(peers_file).read()) if os.path.exists(peers_file) else []
except Exception:
peers = []
_fm.generate_corefile(peers, corefile, domain)
cell_links_file = os.path.join(self.data_dir, 'cell_links.json')
try:
import json as _json2
cell_links = _json2.loads(open(cell_links_file).read()) if os.path.exists(cell_links_file) else []
except Exception:
cell_links = []
_fm.generate_corefile(peers, corefile, domain, cell_links=cell_links)
except Exception as e:
warnings.append(f"Corefile domain update failed: {e}")