From 37abdd7f96fe7fdc2015bc2b51aef5cca00bd89c Mon Sep 17 00:00:00 2001
From: JackDoan <me@jackdoan.com>
Date: Tue, 17 Feb 2026 15:15:10 -0600
Subject: [PATCH] it works again but linux is pickier than I thought, I need to
 refactor even more

---
 firewall.go          |  4 +++-
 overlay/tun_linux.go | 23 +++++++++++++++++------
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/firewall.go b/firewall.go
index 58dea318..f5137946 100644
--- a/firewall.go
+++ b/firewall.go
@@ -356,7 +356,9 @@ func (f *Firewall) GetRuleHashes() string {
 func (f *Firewall) SetSNATAddressFromInterface(i *Interface) {
 	//address-mutation-avoidance is done inside Interface, the firewall doesn't need to care
 	//todo should snatted conntracks get expired out? Probably not needed until if/when we allow reload
-	f.snatAddr = i.inside.SNATAddress().Addr()
+	if f.hasUnsafeNetworks { //todo this logic???
+		f.snatAddr = i.inside.SNATAddress().Addr()
+	}
 }
 
 func (f *Firewall) ShouldUnSNAT(fp *firewall.Packet) bool {
diff --git a/overlay/tun_linux.go b/overlay/tun_linux.go
index 0f3bec96..0382c3e2 100644
--- a/overlay/tun_linux.go
+++ b/overlay/tun_linux.go
@@ -329,7 +329,7 @@ func (t *tun) addIPs(link netlink.Link) error {
 		}
 	}
 
-	if t.snatAddr.IsValid() && len(t.vpnNetworks) > 0 { //TODO unsafe-routers should be able to snat and be snatted
+	if t.snatAddr.IsValid() && len(t.unsafeNetworks) == 0 { //TODO unsafe-routers should be able to snat and be snatted
 		newAddrs = append(newAddrs, &netlink.Addr{
 			IPNet: &net.IPNet{
 				IP:   t.snatAddr.Addr().AsSlice(),
@@ -431,11 +431,11 @@ func (t *tun) Activate() error {
 		}
 	}
 	//TODO snat and be snatted
-	//if t.snatAddr.IsValid() {
-	//	if err = t.setDefaultRoute(t.snatAddr); err != nil {
-	//		return fmt.Errorf("failed to set default route MTU for %s: %w", t.snatAddr, err)
-	//	}
-	//}
+	if t.snatAddr.IsValid() && len(t.unsafeNetworks) == 0 {
+		if err = t.setDefaultRoute(t.snatAddr); err != nil {
+			return fmt.Errorf("failed to set default route MTU for %s: %w", t.snatAddr, err)
+		}
+	}
 
 	// Set the routes
 	if err = t.addRoutes(false); err != nil {
@@ -448,6 +448,14 @@ func (t *tun) Activate() error {
 		return fmt.Errorf("failed to run tun device: %s", err)
 	}
 
+	//todo hmmmmmm
+	if len(t.unsafeNetworks) != 0 {
+		err = os.WriteFile(fmt.Sprintf("/proc/sys/net/ipv4/conf/%s/accept_local", t.Device), []byte("1"), os.FileMode(0o644))
+		if err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -556,6 +564,9 @@ func (t *tun) addRoutes(logErrors bool) error {
 		}
 	}
 
+	if len(t.unsafeNetworks) == 0 {
+		return nil
+	}
 	return t.setSnatRoute()
 }