From 4e6823f26487106520e2ae0917e5a3796144c291 Mon Sep 17 00:00:00 2001
From: Krzysztof Nazarewski <3494992+nazarewk@users.noreply.github.com>
Date: Tue, 6 Dec 2022 13:40:01 +0100
Subject: [PATCH] HA Network Routes: prevent routing directly-accessible
 networks through VPN interface

fixes: https://github.com/netbirdio/netbird/issues/598
---
 client/internal/routemanager/client.go  |  5 +++--
 client/internal/routemanager/manager.go | 16 ++++++++++++----
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/client/internal/routemanager/client.go b/client/internal/routemanager/client.go
index 263c7c3e633..4c022ef46fb 100644
--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -3,12 +3,13 @@ package routemanager
 import (
 	"context"
 	"fmt"
+	"net/netip"
+
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 	log "github.com/sirupsen/logrus"
-	"net/netip"
 )
 
 type routerPeerStatus struct {
@@ -52,7 +53,7 @@ func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, st
 	return client
 }
 
-func getClientNetworkID(input *route.Route) string {
+func getHANetworkID(input *route.Route) string {
 	return input.NetID + "-" + input.Network.String()
 }
 
diff --git a/client/internal/routemanager/manager.go b/client/internal/routemanager/manager.go
index 4527ae0cbfc..a8f0844ca5e 100644
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -3,13 +3,14 @@ package routemanager
 import (
 	"context"
 	"fmt"
+	"runtime"
+	"sync"
+
 	"github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 	log "github.com/sirupsen/logrus"
-	"runtime"
-	"sync"
 )
 
 // Manager is a route manager interface
@@ -147,10 +148,17 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 
 		newClientRoutesIDMap := make(map[string][]*route.Route)
 		newServerRoutesMap := make(map[string]*route.Route)
+		ownNetworkIDs := make(map[string]bool)
 
 		for _, newRoute := range newRoutes {
-			// only linux is supported for now
 			if newRoute.Peer == m.pubKey {
+				ownNetworkIDs[getHANetworkID(newRoute)] = true
+			}
+		}
+
+		for _, newRoute := range newRoutes {
+			if ownNetworkIDs[getHANetworkID(newRoute)] {
+				// only linux is supported for now
 				if runtime.GOOS != "linux" {
 					log.Warnf("received a route to manage, but agent doesn't support router mode on %s OS", runtime.GOOS)
 					continue
@@ -164,7 +172,7 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 						system.NetbirdVersion(), newRoute.Network)
 					continue
 				}
-				clientNetworkID := getClientNetworkID(newRoute)
+				clientNetworkID := getHANetworkID(newRoute)
 				newClientRoutesIDMap[clientNetworkID] = append(newClientRoutesIDMap[clientNetworkID], newRoute)
 			}
 		}