From f712d77642bbb8c131f64655353e0cac78ceb09e Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Sun, 21 May 2023 18:06:18 +0000
Subject: [PATCH] fix(firewall): prevent IP family mix in
 `acceptOutputFromIPToSubnet`

---
 internal/firewall/iptables.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/internal/firewall/iptables.go b/internal/firewall/iptables.go
index 495ef5d1..b6bd290c 100644
--- a/internal/firewall/iptables.go
+++ b/internal/firewall/iptables.go
@@ -157,6 +157,13 @@ func (c *Config) acceptOutputTrafficToVPN(ctx context.Context,
 func (c *Config) acceptOutputFromIPToSubnet(ctx context.Context,
 	intf string, sourceIP netip.Addr, destinationSubnet netip.Prefix, remove bool) error {
 	doIPv4 := sourceIP.Is4() && destinationSubnet.Addr().Is4()
+	doIPv6 := sourceIP.Is6() && destinationSubnet.Addr().Is6()
+	if !doIPv4 && !doIPv6 {
+		c.logger.Debug(fmt.Sprintf(
+			"source IP address %s and destination subnet %s are not of the same IP family, skipping...",
+			sourceIP, destinationSubnet))
+		return nil
+	}
 
 	interfaceFlag := "-o " + intf
 	if intf == "*" { // all interfaces