[management] Allocate and preserve IPv6 overlay addresses for embedded proxy peers (#6132)

management/server/types/account.go

@@ -598,28 +598,21 @@ func (a *Account) GetPeerGroups(peerID string) LookupMap {
 	return groupList
 }
 
-// PeerIPv6Allowed reports whether the given peer is in any of the account's IPv6 enabled groups.
+// PeerIPv6Allowed reports whether the given peer participates in the IPv6 overlay.
 // Returns false if IPv6 is disabled or no groups are configured.
 func (a *Account) PeerIPv6Allowed(peerID string) bool {
-	if len(a.Settings.IPv6EnabledGroups) == 0 {
-		return false
-	}
-
-	for _, groupID := range a.Settings.IPv6EnabledGroups {
-		group, ok := a.Groups[groupID]
-		if !ok {
-			continue
-		}
-		if slices.Contains(group.Peers, peerID) {
-			return true
-		}
-	}
-	return false
+	_, ok := a.peerIPv6AllowedSet()[peerID]
+	return ok
 }
 
-// peerIPv6AllowedSet returns a set of peer IDs that belong to any IPv6-enabled group.
+// peerIPv6AllowedSet returns the set of peer IDs that participate in the IPv6 overlay:
+// members of any IPv6-enabled group, plus every embedded proxy peer (which sit outside
+// regular group membership but must reach v6-enabled peers).
 func (a *Account) peerIPv6AllowedSet() map[string]struct{} {
 	result := make(map[string]struct{})
+	if len(a.Settings.IPv6EnabledGroups) == 0 {
+		return result
+	}
 	for _, groupID := range a.Settings.IPv6EnabledGroups {
 		group, ok := a.Groups[groupID]
 		if !ok {
@@ -629,6 +622,11 @@ func (a *Account) peerIPv6AllowedSet() map[string]struct{} {
 			result[peerID] = struct{}{}
 		}
 	}
+	for id, p := range a.Peers {
+		if p != nil && p.ProxyMeta.Embedded {
+			result[id] = struct{}{}
+		}
+	}
 	return result
 }
 

management/server/types/group.go

@@ -92,9 +92,12 @@ func (g *Group) HasPeers() bool {
 	return len(g.Peers) > 0
 }
 
+// GroupAllName is the reserved name of the default group that contains every peer in an account.
+const GroupAllName = "All"
+
 // IsGroupAll checks if the group is a default "All" group.
 func (g *Group) IsGroupAll() bool {
-	return g.Name == "All"
+	return g.Name == GroupAllName
 }
 
 // AddPeer adds peerID to Peers if not present, returning true if added.

management/server/types/ipv6_groups_test.go

@@ -232,3 +232,33 @@ func TestIPv6RecalculationOnGroupChange(t *testing.T) {
 		assert.True(t, account.PeerIPv6Allowed("peer3"), "peer3 now in infra")
 	})
 }
+
+func TestPeerIPv6AllowedEmbeddedProxy(t *testing.T) {
+	account := &Account{
+		Peers: map[string]*nbpeer.Peer{
+			"peer1": {ID: "peer1"},
+			"proxy": {ID: "proxy", ProxyMeta: nbpeer.ProxyMeta{Embedded: true, Cluster: "netbird.test"}},
+		},
+		Groups: map[string]*Group{
+			"group-devs": {ID: "group-devs", Peers: []string{"peer1"}},
+		},
+		Settings: &Settings{},
+	}
+
+	t.Run("embedded proxy allowed when any v6 group exists, without group membership", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = []string{"group-devs"}
+		assert.True(t, account.PeerIPv6Allowed("proxy"), "embedded proxy participates in v6 overlay")
+		assert.True(t, account.PeerIPv6Allowed("peer1"), "regular peer in enabled group still allowed")
+	})
+
+	t.Run("embedded proxy denied when no v6 group enabled", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = nil
+		assert.False(t, account.PeerIPv6Allowed("proxy"), "v6 disabled account-wide denies embedded proxies too")
+	})
+
+	t.Run("non-embedded peer outside any enabled group is not pulled in", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = []string{"group-devs"}
+		account.Peers["lonely"] = &nbpeer.Peer{ID: "lonely"}
+		assert.False(t, account.PeerIPv6Allowed("lonely"), "embedded-proxy bypass must not leak to regular peers")
+	})
+}