mirror of
https://github.com/Start9Labs/start-os.git
synced 2026-03-31 04:23:40 +00:00
f46cdc6ee5
The POSTROUTING MASQUERADE rules in forward-port failed to handle two hairpin scenarios: 1. Host-to-target hairpin (OUTPUT DNAT): when sip is a WAN IP (tunnel case), the old rule matched `-s sip` but the actual source of locally-originated packets is a local interface IP, not the WAN IP. Fix: use `-m addrtype --src-type LOCAL -m conntrack --ctorigdst sip` to match any local source while tying the rule to the specific sip. 2. Same-subnet self-hairpin (PREROUTING DNAT): when a WireGuard peer connects to itself via the tunnel's public IP, traffic is DNAT'd back to the peer. Without MASQUERADE the response takes a loopback shortcut, bypassing the tunnel server's conntrack and breaking NAT reversal. Fix: add `-s dip/dprefix -d dip` to masquerade same-subnet traffic, which also subsumes the old bridge_subnet rule. Also bind the hairpin detection socket to the gateway interface and local IP for consistency with the echoip client.
StartOS Backend
- Requirements:
- Install Rust
- Recommended: rust-analyzer
- Docker
Structure
startos: This contains the core library for StartOS that supports buildingstartbox.helpers: This contains utility functions used across bothstartosandjs-enginemodels: This contains types that are shared acrossstartos,js-engine, andhelpers
Artifacts
The StartOS backend is packed into a single binary startbox that is symlinked under
several different names for different behavior:
startd: This is the main daemon of StartOSstart-cli: This is a CLI tool that will allow you to issue commands tostartdand control it similarly to the UIstart-sdk: This is a CLI tool that aids in building and packaging services you wish to deploy to StartOS
Documentation
- ARCHITECTURE.md — Backend architecture, modules, and patterns
- CONTRIBUTING.md — How to contribute to core