From 36bbc515d2df2e652cfd7270cb3e70aee1d30e8d Mon Sep 17 00:00:00 2001
From: JackDoan <me@jackdoan.com>
Date: Wed, 4 Mar 2026 12:33:16 -0600
Subject: [PATCH] log if UnsafeNetworks assignment changes across reload

---
 pki.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pki.go b/pki.go
index 5744e5af..3deb0fe7 100644
--- a/pki.go
+++ b/pki.go
@@ -102,7 +102,7 @@ func (p *PKI) reloadCerts(c *config.C, initial bool) *util.ContextualError {
 			if currentState.v1Cert == nil {
 				//adding certs is fine, actually. Networks-in-common confirmed in newCertState().
 			} else {
-				// did IP in cert change? if so, don't set
+				// did IP in cert change? if so, don't set. If we ever allow this, need to set p.firewallReloadNeeded
 				if !slices.Equal(currentState.v1Cert.Networks(), newState.v1Cert.Networks()) {
 					return util.NewContextualError(
 						"Networks in new cert was different from old",
@@ -158,6 +158,14 @@ func (p *PKI) reloadCerts(c *config.C, initial bool) *util.ContextualError {
 			}
 		}
 
+		newUN := newState.GetDefaultCertificate().UnsafeNetworks()
+		oldUN := currentState.GetDefaultCertificate().UnsafeNetworks()
+		if !slices.Equal(newUN, oldUN) {
+			//todo I don't love this, because other clients will see the new assignments and act on them, but we will not be able to.
+			//I think we need to wire this into the firewall reload.
+			p.l.WithFields(m{"previous": oldUN, "new": newUN}).Warning("UnsafeNetworks assignments differ. A restart is required in order for this to take effect.")
+		}
+
 		// Cipher cant be hot swapped so just leave it at what it was before
 		newState.cipher = currentState.cipher