v0.5.18: drop dangerous INPUT DROP rule that broke WolfRouter subnet routing

Paul C · Paul C · commit 4684aad7c4a4 · 2026-04-27T22:16:20.000+01:00
klasSponsor (2026-04-27) confirmed an `iptables -A INPUT -i &lt;ext&gt; -d
&lt;wolfnet-subnet&gt; -j DROP` rule installed by enable_gateway() was
breaking WolfRouter subnet routing on multiple nodes. The rule's
intent ("block all other inbound traffic to wolfnet — truly private")
turned out to be cargo-cult: a packet on ext_iface destined for a
CGNAT address can only reach INPUT if that IP is local (i.e. the
host's own wolfnet0), and the public internet can't legitimately route
RFC1918/CGNAT addresses anyway. WolfNet privacy comes from the
encrypted overlay, not from this filter.

- Stop adding the rule in enable_gateway().
- Proactively delete up to 4 stale copies on every gateway start so
  existing nodes get cleaned up at the next WolfNet restart after
  upgrade.
- disable_gateway()'s -D was already there; left untouched.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "wolfnet"
-version = "0.5.17"
+version = "0.5.18"
 edition = "2021"
 authors = ["Wolf Software Systems Ltd"]
 description = "Secure private mesh networking over the internet"
diff --git a/src/gateway.rs b/src/gateway.rs
@@ -66,15 +66,37 @@ pub fn enable_gateway(wolfnet_interface: &str, subnet: &str) -> Result<(), Box<d
         warn!("iptables FORWARD rule (in) may have failed");
     }
 
-    // Block all other inbound traffic to wolfnet (truly private)
-    let status = std::process::Command::new("iptables")
-        .args(["-A", "INPUT", "-i", &ext_iface, "-d", subnet, "-j", "DROP"])
-        .status()?;
-    if !status.success() {
-        warn!("iptables INPUT DROP rule may have failed");
+    // Removed in 0.5.18: an `-A INPUT -i <ext> -d <subnet> -j DROP` rule
+    // used to live here under the banner "Block all other inbound traffic
+    // to wolfnet (truly private)". klasSponsor (2026-04-27) confirmed it
+    // was breaking WolfRouter subnet routing on multiple nodes — peers'
+    // packets and replies that legitimately transited via the WolfNet
+    // CGNAT range were getting dropped depending on the path.
+    //
+    // The rule also wasn't actually defending anything: a packet on the
+    // WAN destined for an RFC1918/CGNAT IP can only reach INPUT if that
+    // IP is local to this host (i.e. its wolfnet0 address) — and packets
+    // from the public internet to a host's wolfnet0 IP can't actually
+    // arrive without spoofing or a misrouted upstream, neither of which
+    // the rule meaningfully mitigates. WolfNet privacy comes from the
+    // encrypted overlay itself, not from filtering at the gateway's
+    // INPUT chain.
+    //
+    // Belt-and-braces: proactively delete any copy of the old rule that's
+    // still installed on existing nodes from previous releases, so an
+    // upgrade-and-restart of WolfNet quietly cleans them up. Repeated
+    // -D runs handle the case where multiple copies got appended on
+    // earlier daemon reloads.
+    for _ in 0..4 {
+        let status = std::process::Command::new("iptables")
+            .args(["-D", "INPUT", "-i", &ext_iface, "-d", subnet, "-j", "DROP"])
+            .status();
+        match status {
+            Ok(s) if s.success() => continue, // deleted one, try again
+            _ => break,                       // none left (or iptables missing)
+        }
     }
 
-
     Ok(())
 }
 
