Skip to content

feat: allowed_subnets for site-to-site/relay (integrates #3, hardened)#4

Merged
bartei merged 7 commits into
mainfrom
feat/allowed-subnets-relay
Jun 26, 2026
Merged

feat: allowed_subnets for site-to-site/relay (integrates #3, hardened)#4
bartei merged 7 commits into
mainfrom
feat/allowed-subnets-relay

Conversation

@bartei

@bartei bartei commented Jun 26, 2026

Copy link
Copy Markdown
Owner

Integrates PR #3 (fherbert) onto current main with fixes applied before merge.

What it adds

Per-device allowed_subnets: routed subnets are appended to the peer's WireGuard allowed-ips, get ip routes via the wg interface, and forward-chain jumps into the user's nftables chain (site-to-site / relay).

Changes vs the original PR

  • Migration rebased onto current head d8b3a1f06e57 — the original branched off b7e2f4a1c903, which would have created two Alembic heads and broken alembic upgrade head on startup.
  • CIDR validation (parse_subnet_list): subnets are validated + normalized before reaching nft/ip route, rejecting non-CIDR input (blocks command injection and stops one bad entry from failing the whole firewall rebuild).
  • Admin-only: the routed-subnets field is removed from the end-user device page; relay config is an admin capability.
  • Dropped the contributor's semantic-release version bump + CHANGELOG (the repo's release process owns versioning).

Tests

  • Unit: 144 passing locally (incl. validation + injection-rejection).
  • Acceptance (e2e, run by CI): admin create-with-subnets, invalid-subnet rejection, and user page has no relay field.

Known follow-up

Removing a subnet from a device leaves a stale ip route (reconcile only adds routes) — carried over from the original PR, not a regression.

Original authorship preserved via the merge parent (fherbert's commits).

semantic-release and others added 7 commits May 9, 2026 18:04
chore(release): 1.0.0-rc.1
4775e69
@fherbert
feat: add allowed_subnets for VPN relay configuration
9c3ad64
@fherbert
feat: Ensure user firewall chain is jumped to when src address is fro…
48e4c18 
…m users device allowed subnets
@fherbert
feat: Add routes for peer allowed ip list
0dd25f1
@bartei
Merge PR #3: allowed_subnets for site-to-site/relay devices
ebb4320 
Integrates fherbert's relay-subnet feature (routed subnets -> peer allowed-ips,
ip routes, and forward-chain jumps) with hardening before merge:
- rebase migration onto current head (was branching, causing two alembic heads)
- validate/normalize subnets via parse_subnet_list (rejects non-CIDR, blocks nft injection)
- restrict relay subnets to the admin device page only (removed from user page)
- drop the contributor's semantic-release version bump and CHANGELOG
@bartei
test: acceptance coverage for relay subnet validation and admin-only …
e134415 
…gating
@bartei
fix: prune orphaned relay routes on device delete/update and reconcile
f0a2368 
Route management is now reconcile-style via wireguard.sync_routes: it makes the
interface's relay routes exactly match the DB (adds missing, removes orphans)
and never touches the tunnel networks. Device delete/update and startup
reconcile all route through it, so removing a device or one of its subnets no
longer leaves a stale ip route behind. Shared subnets are preserved.
@bartei bartei merged commit 9a5c09f into main Jun 26, 2026
5 checks passed
@bartei bartei deleted the feat/allowed-subnets-relay branch June 26, 2026 21:05
@bartei bartei mentioned this pull request Jun 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bartei @fherbert