client: revert auto-allocate IP on connect when behind NAT (#3861)#3870
Merged
Conversation
The RFC1918 default-route heuristic misfires on hosts behind 1:1 NAT (e.g. the chi-dn QA hosts), where plain IBRL works. The auto-flip silently changes the user type to IBRLWithAllocatedIP and broke devnet QA unicast connectivity. Revert until the detection can distinguish 1:1 NAT from address-translating NAT. This reverts commit 105d903.
elitegreg
approved these changes
Jun 10, 2026
Merged
elitegreg
pushed a commit
that referenced
this pull request
Jun 10, 2026
## Summary of Changes - Version bump to 0.27.1 for a standalone patch release carrying the revert of the NAT auto-allocate behavior (#3861, reverted in #3870). - Moves the revert note from Unreleased into a v0.27.1 changelog section. ## Testing Verification - Cargo.lock regenerated via `cargo update --workspace`; same 13/13 line shape as the 0.27.0 bump.
ben-dz
added a commit
that referenced
this pull request
Jun 10, 2026
## Summary of Changes - Skip the e2e and shreds-e2e suites on PRs where the suites add no signal — version bumps and docs/RFC-only changes — so they don't burn ~20 minutes of self-hosted runner time building images and running the full suite. - A new gate step in each workflow's `setup` job inspects the PR's changed files via the API. A PR qualifies only if every file is either markdown (`*.md`, any path; renames/copies must come from markdown too, since a rename also deletes the source path) or `Cargo.toml`/`Cargo.lock` with diffs touching nothing but `version = "..."` lines, with the two Cargo files changing together. A dependency bump fails the check — `cargo update` changes Cargo.lock checksum/source lines, an inline requirement change in Cargo.toml doesn't match the version-line shape, and a requirement change that leaves the lock untouched fails the pairing rule — as does any code file or an API-truncated patch. All of those fall through to a normal e2e run. Markdown is verified inert: no `.md` files are used as test fixtures, embedded via `include_str!`, or read by e2e code. - Because the gated matrix jobs never create their shard check runs, the gate reports the required `e2e (shard 1-5)` / `shard-e2e (shard 1-4)` contexts as successful on the PR head via the checks API (same pattern the trusted fork-PR flow already uses), so branch protection doesn't block the merge. - The gate runs only on same-repo `pull_request` events; fork PRs, pushes to main/hotfix, and trusted `workflow_dispatch` runs are unaffected. Any gate error fails open to running e2e. ## Diff Breakdown | Category | Files | Lines (+/-) | Net | |--------------|-------|-------------|------| | Config/build | 2 | +152 / -0 | +152 | Workflow-only change; the same gate logic is added to both e2e workflows. <details> <summary>Key files (click to expand)</summary> - `.github/workflows/e2e.yml` — skip-gate step + early exit in the existing `run-e2e` gate; reports `e2e (shard 1-5)` checks when skipping - `.github/workflows/shreds-e2e.yml` — same gate; reports `shard-e2e (shard 1-4)` checks when skipping </details> ## Testing Verification - Ran the gate's file-classification logic (extracted verbatim into a node harness) against real PR data: #3874 (0.27.1 version bump) correctly classifies as skippable; #3870 (code change) correctly runs e2e. - Synthetic dependency-bump cases all run e2e: `cargo update`-shaped Cargo.lock diff (checksum lines); dependency requirement change in Cargo.toml, both inline and multi-line-table form with the lock untouched; lock-only version-line change. - Synthetic markdown cases: new RFC added, RFC+README edits, markdown deleted, markdown renamed from markdown, and version bump + RFC edit all skip; markdown plus a code file, a file renamed from `.rs` to `.md`, and a Cargo.lock with an API-omitted patch all run e2e. - `actionlint` passes on both workflows.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of Changes
105d9035):doublezero connect ibrlno longer auto-flips toIBRLWithAllocatedIPwhen the daemon's default-route source is an RFC1918 address.dz_ip, and devnet QATestQA_MultiTunnel/unicast_connectivityfailed deterministically (route waits expect public-IP routes).behind_natfield from the daemon's/v2/statusresponse and the CLI's NAT-aware connect path; explicit-a/--client-ipbehavior is unchanged.Diff Breakdown
Pure revert: net -306 lines, mostly removing the NAT-detection logic and its tests.
Key files (click to expand)
client/doublezero/src/command/connect.rs— remove the behind-NAT auto-allocate decision and its testsclient/doublezerod/internal/runtime/clientip.go—DiscoverClientIPno longer reportsbehindNAT; restores the pre-client: auto-allocate IP on connect when behind NAT #3861 signatureTesting Verification
cargo test -p doublezero: 145 tests pass (includes the connect command suite the revert touches).go test ./client/doublezerod/internal/runtime/... ./client/doublezerod/internal/manager/...: pass.make rust-lintclean in the dev container.connect.rsafterward; onlyCHANGELOG.mdneeded manual resolution (v0.27.0 section kept as shipped history, revert noted under Unreleased).