roof 1e1bda4679 Fix cross-cell ICMP routing: state-based cell DROP + e2e test ...

The cell catch-all DROP rule blocked all traffic from a connected cell's
subnet, including ESTABLISHED/RELATED packets (ICMP replies, TCP ACKs) for
connections initiated by local VPN peers. This broke ping to the remote
cell's WireGuard IP even when the cell-to-cell tunnel was healthy.

Change the DROP to match only NEW,INVALID connections so established reply
traffic passes through to the stateful ACCEPT rule.

Also adds tests/e2e/wg/test_cell_to_cell_routing.py — an end-to-end test
that brings up a real WireGuard tunnel from the test runner to pic1 and
verifies full cross-cell routing including ICMP ping, API /health, and Caddy.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-05 10:59:11 -04:00

..

config

fix: WireGuard routing, DNS, service access, and UI improvements

2026-04-20 12:43:23 -04:00

routes

fix: cross-cell routing for split-tunnel peers

2026-05-04 14:36:28 -04:00

.coverage

init

2025-09-12 23:04:52 +03:00

API_DOCUMENTATION.md

init

2025-09-12 23:04:52 +03:00

app.py

fix: allow reply traffic from connected cells through FORWARD chain

2026-05-04 15:13:59 -04:00

auth_manager.py

feat: add authentication and authorization system

2026-04-25 15:00:06 -04:00

auth_routes.py

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

2026-04-27 11:30:21 -04:00

base_service_manager.py

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

2026-04-27 11:30:21 -04:00

calendar_manager.py

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

2026-04-27 11:30:21 -04:00

cell_cli.py

init

2025-09-12 23:04:52 +03:00

cell_link_manager.py

Add domain conflict validation when changing domain or accepting heal invite

2026-05-04 09:46:58 -04:00

cell_manager.py

init

2025-09-12 23:04:52 +03:00

config_manager.py

A5: Extract all route groups into Flask blueprints (app.py -1735 lines)

2026-05-01 06:11:21 -04:00

config.py

init

2025-09-12 23:04:52 +03:00

container_manager.py

fix: silent autosave, pending dedup, domain/cell_name pending, containers access

2026-04-24 07:16:13 -04:00

Dockerfile

fix: full-tunnel default, real host routing table, peer config tunnel mode

2026-04-20 15:20:55 -04:00

email_manager.py

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

2026-04-27 11:30:21 -04:00

enhanced_cli.py

fix: all 214 tests passing (from 36 failures)

2026-04-19 16:43:07 -04:00

file_manager.py

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

2026-04-27 11:30:21 -04:00

firewall_manager.py

Fix cross-cell ICMP routing: state-based cell DROP + e2e test

2026-05-05 10:59:11 -04:00

ip_utils.py

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

2026-04-27 11:30:21 -04:00

log_manager.py

fix: spurious health alerts, show rotated logs, clear history button

2026-04-21 03:05:04 -04:00

managers.py

fix(P2): peer add rollback, helper failure recovery, manager extraction (A2/A3/A5)

2026-05-01 05:27:39 -04:00

network_manager.py

fix: cross-cell routing for split-tunnel peers

2026-05-04 14:36:28 -04:00

peer_registry.py

feat: Phase 3 - per-peer internet routing via exit cell

2026-05-01 16:23:31 -04:00

port_registry.py

feat: port conflict validation, autosave on Apply, extended integration tests

2026-04-24 04:45:47 -04:00

requirements.txt

feat: add comprehensive E2E test suite (Playwright + WireGuard + API)

2026-04-25 16:41:13 -04:00

routing_manager.py

feat(cells): fix PIC-to-PIC connection + add service-sharing permissions

2026-05-01 08:35:24 -04:00

service_bus.py

fix for bus

2025-09-13 14:42:32 +03:00

test_enhanced_api.py

wip: make work Services Status

2025-09-13 14:23:31 +03:00

vault_manager.py

fix: full security audit remediation — P0/P1/P2/P3 fixes + 1020 passing tests

2026-04-27 11:30:21 -04:00

wireguard_manager.py

Fix ensure_postup_dnat to strip-and-replace all DNAT rules idempotently

2026-05-04 06:54:20 -04:00