Fix "any" firewall rules for unsafe_routes (#1099)

2025-12-08 06:09:49 +00:00 · 2024-03-28 16:17:12 -04:00 · 2024-03-28 16:17:12 -04:00 · 8b68a08723
commit 8b68a08723
parent f8fb9759e9
1 changed files with 3 additions and 1 deletions
--- a/firewall.go
+++ b/firewall.go
@ -876,13 +876,15 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.NebulaCertificate) bool
 }

 func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp *net.IPNet) error {
-	if localIp == nil || (localIp != nil && localIp.Contains(net.IPv4(0, 0, 0, 0))) {
+	if localIp == nil {
 		if !f.hasSubnets || f.defaultLocalCIDRAny {
 			flc.Any = true
 			return nil
 		}

 		localIp = f.assignedCIDR
+	} else if localIp.Contains(net.IPv4(0, 0, 0, 0)) {
+		flc.Any = true
 	}

 	flc.LocalCIDR.AddCIDR(localIp, struct{}{})