Fix legacy dynamic route NAT missing v6 duplicate

The legacy DNS resolver path creates NAT pairs with destination 0.0.0.0/0 (a prefix, not a DomainSet). The v6 NAT duplication only triggered for DomainSets, so legacy dynamic routes never got a v6 NAT rule. Extract NeedsV6NATDuplicate and ToV6NatPair helpers that detect both DomainSets and the v4 default wildcard 0.0.0.0/0. Both nftables and iptables managers now use these for Add/RemoveNatRule, ensuring v6 NAT duplication works for both modern and legacy DNS resolver paths.
2026-04-18 08:16:39 +00:00 · 2026-04-10 12:59:35 +02:00
parent 8ddbcf6c5b
commit 567f36b07e
3 changed files with 40 additions and 15 deletions
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -272,10 +272,11 @@ func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 		return err
 	}

-	// Dynamic routes need NAT in both tables
-	if m.hasIPv6() && pair.Destination.IsSet() {
-		v6Pair := pair
-		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+	// Dynamic routes need NAT in both tables since resolved IPs can be
+	// either v4 or v6. This covers both DomainSet (modern) and the legacy
+	// wildcard 0.0.0.0/0 destination where the client resolves DNS.
+	if m.hasIPv6() && firewall.NeedsV6NATDuplicate(pair) {
+		v6Pair := firewall.ToV6NatPair(pair)
 		if err := m.router6.AddNatRule(v6Pair); err != nil {
 			return fmt.Errorf("add v6 NAT rule: %w", err)
 		}
@@ -299,9 +300,8 @@ func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 		return err
 	}

-	if m.hasIPv6() && pair.Destination.IsSet() {
-		v6Pair := pair
-		v6Pair.Source = firewall.Network{Prefix: netip.PrefixFrom(netip.IPv6Unspecified(), 0)}
+	if m.hasIPv6() && firewall.NeedsV6NATDuplicate(pair) {
+		v6Pair := firewall.ToV6NatPair(pair)
 		if err := m.router6.RemoveNatRule(v6Pair); err != nil {
 			return fmt.Errorf("remove v6 NAT rule: %w", err)
 		}