fix: allow private access to vhost targets on public gateways

2026-03-26 02:11:53 +00:00 · 2026-03-19 00:41:48 -06:00
parent f64c543747
commit 3ef99eca87
1 changed files with 4 additions and 12 deletions
--- a/core/src/net/vhost.rs
+++ b/core/src/net/vhost.rs
@@ -734,19 +734,11 @@ where
        };

        let src = tcp.peer_addr.ip();
-        // Private: source is in a known subnet or is a private IP (e.g. VPN on a different VLAN)
-        let is_public =
-            !ip_info.subnets.iter().any(|s| s.contains(&src)) && !is_private_ip(src);
+        let dst = tcp.local_addr.ip();

-        if is_public {
-            self.public.contains(&gw.id)
-        } else {
-            // Private: accept if connection arrived on an interface with a matching IP
-            ip_info
-                .subnets
-                .iter()
-                .any(|s| self.private.contains(&s.addr()))
-        }
+        self.public.contains(&gw.id)
+            || (self.private.contains(&dst)
+                && (ip_info.subnets.iter().any(|s| s.contains(&src)) || is_private_ip(src)))
    }
    fn acme(&self) -> Option<&AcmeProvider> {
        self.acme.as_ref()