From 3ef99eca8761a33fc1dbc6e5683cfd12da3a71df Mon Sep 17 00:00:00 2001 From: Aiden McClelland Date: Thu, 19 Mar 2026 00:41:48 -0600 Subject: [PATCH] fix: allow private access to vhost targets on public gateways --- core/src/net/vhost.rs | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/core/src/net/vhost.rs b/core/src/net/vhost.rs index 3e5fae4db..e8b515ac8 100644 --- a/core/src/net/vhost.rs +++ b/core/src/net/vhost.rs @@ -734,19 +734,11 @@ where }; let src = tcp.peer_addr.ip(); - // Private: source is in a known subnet or is a private IP (e.g. VPN on a different VLAN) - let is_public = - !ip_info.subnets.iter().any(|s| s.contains(&src)) && !is_private_ip(src); + let dst = tcp.local_addr.ip(); - if is_public { - self.public.contains(&gw.id) - } else { - // Private: accept if connection arrived on an interface with a matching IP - ip_info - .subnets - .iter() - .any(|s| self.private.contains(&s.addr())) - } + self.public.contains(&gw.id) + || (self.private.contains(&dst) + && (ip_info.subnets.iter().any(|s| s.contains(&src)) || is_private_ip(src))) } fn acme(&self) -> Option<&AcmeProvider> { self.acme.as_ref()