From e806d9de38a41016d2e1a519f88cf8bbf2f3ba44 Mon Sep 17 00:00:00 2001
From: Viktor Liu <17948409+lixmal@users.noreply.github.com>
Date: Wed, 21 May 2025 13:48:55 +0200
Subject: [PATCH] [client] Fix legacy routes when connecting to management
 servers older than v0.30.0 (#3854)

---
 client/internal/acl/manager.go | 6 ------
 client/internal/engine.go      | 8 ++++++++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/client/internal/acl/manager.go b/client/internal/acl/manager.go
index 6fa35d5c2..a6316d7a2 100644
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -76,12 +76,6 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 
 	d.applyPeerACLs(networkMap)
 
-	// If we got empty rules list but management did not set the networkMap.FirewallRulesIsEmpty flag,
-	// then the mgmt server is older than the client, and we need to allow all traffic for routes
-	isLegacy := len(networkMap.RoutesFirewallRules) == 0 && !networkMap.RoutesFirewallRulesIsEmpty
-	if err := d.firewall.SetLegacyManagement(isLegacy); err != nil {
-		log.Errorf("failed to set legacy management flag: %v", err)
-	}
 
 	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("Failed to apply route ACLs: %v", err)
diff --git a/client/internal/engine.go b/client/internal/engine.go
index eefd28225..7c501e5aa 100644
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -978,6 +978,14 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 				log.Errorf("failed to update local IPs: %v", err)
 			}
 		}
+
+		// If we got empty rules list but management did not set the networkMap.FirewallRulesIsEmpty flag,
+		// then the mgmt server is older than the client, and we need to allow all traffic for routes.
+		// This needs to be toggled before applying routes.
+		isLegacy := len(networkMap.RoutesFirewallRules) == 0 && !networkMap.RoutesFirewallRulesIsEmpty
+		if err := e.firewall.SetLegacyManagement(isLegacy); err != nil {
+			log.Errorf("failed to set legacy management flag: %v", err)
+		}
 	}
 
 	dnsRouteFeatureFlag := toDNSFeatureFlag(networkMap)