Fix legacy dynamic route NAT missing v6 duplicate

The v6 NAT duplication only triggered for DomainSet destinations (modern DNS path). Legacy dynamic routes use a 0.0.0.0/0 prefix destination, so the v6 NAT rule was never created. Add a Dynamic field to RouterPair so the firewall manager can distinguish dynamic routes from exit nodes (both use /0 prefixes). Set it from route.IsDynamic() in routeToRouterPair and propagate through GetInversePair. Both nftables and iptables managers check pair.Dynamic instead of destination shape. Also accumulate errors in RemoveNatRule so v6 cleanup is attempted even if v4 removal fails.
2026-04-16 07:16:38 +00:00 · 2026-04-10 13:06:14 +02:00
parent 567f36b07e
commit 4b298fb53c
4 changed files with 20 additions and 23 deletions
--- a/client/internal/routemanager/server/server.go
+++ b/client/internal/routemanager/server/server.go
@@ -160,6 +160,7 @@ func routeToRouterPair(route *route.Route, useNewDNSRoute bool) firewall.RouterP
 		Source:      source,
 		Destination: destination,
 		Masquerade:  route.Masquerade,
+		Dynamic:     route.IsDynamic(),
 	}
 }