From 8ddbcf6c5bbd96705ff37c24dbf539fc79375854 Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Fri, 10 Apr 2026 12:50:09 +0200
Subject: [PATCH] Fix dynamic route v6 NAT rule not cleaned up on removal

removeFromServerNetwork and CleanUp hardcoded useNewDNSRoute=false
when building the router pair for RemoveNatRule. This meant the
destination was a Prefix (0.0.0.0/0) instead of a DomainSet, so the
IsSet() branch in RemoveNatRule that removes the v6 duplicate never
triggered. The v6 NAT rule leaked until the next full Reset.

Store useNewDNSRoute on the Router from UpdateRoutes and use it
consistently in removeFromServerNetwork and CleanUp, making add
and remove symmetric.
---
 client/internal/routemanager/server/server.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/client/internal/routemanager/server/server.go b/client/internal/routemanager/server/server.go
index d35b44f5b..17bf74a53 100644
--- a/client/internal/routemanager/server/server.go
+++ b/client/internal/routemanager/server/server.go
@@ -21,6 +21,7 @@ type Router struct {
 	firewall       firewall.Manager
 	wgInterface    iface.WGIface
 	statusRecorder *peer.Status
+	useNewDNSRoute bool
 }
 
 func NewRouter(ctx context.Context, wgInterface iface.WGIface, firewall firewall.Manager, statusRecorder *peer.Status) (*Router, error) {
@@ -37,6 +38,8 @@ func (r *Router) UpdateRoutes(routesMap map[route.ID]*route.Route, useNewDNSRout
 	r.mux.Lock()
 	defer r.mux.Unlock()
 
+	r.useNewDNSRoute = useNewDNSRoute
+
 	serverRoutesToRemove := make([]route.ID, 0)
 
 	for routeID := range r.routes {
@@ -91,7 +94,7 @@ func (r *Router) removeFromServerNetwork(route *route.Route) error {
 		return r.ctx.Err()
 	}
 
-	routerPair := routeToRouterPair(route, false)
+	routerPair := routeToRouterPair(route, r.useNewDNSRoute)
 	if err := r.firewall.RemoveNatRule(routerPair); err != nil {
 		return fmt.Errorf("remove routing rules: %w", err)
 	}
@@ -124,7 +127,7 @@ func (r *Router) CleanUp() {
 	defer r.mux.Unlock()
 
 	for _, route := range r.routes {
-		routerPair := routeToRouterPair(route, false)
+		routerPair := routeToRouterPair(route, r.useNewDNSRoute)
 		if err := r.firewall.RemoveNatRule(routerPair); err != nil {
 			log.Errorf("Failed to remove cleanup route: %v", err)
 		}