From 8b68a087230fb5b9cba7b71bb4609592ed79be32 Mon Sep 17 00:00:00 2001
From: John Maguire <john@defined.net>
Date: Thu, 28 Mar 2024 16:17:12 -0400
Subject: [PATCH] Fix "any" firewall rules for unsafe_routes (#1099)

---
 firewall.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/firewall.go b/firewall.go
index cf2bc52..b5d79d6 100644
--- a/firewall.go
+++ b/firewall.go
@@ -876,13 +876,15 @@ func (fr *FirewallRule) match(p firewall.Packet, c *cert.NebulaCertificate) bool
 }
 
 func (flc *firewallLocalCIDR) addRule(f *Firewall, localIp *net.IPNet) error {
-	if localIp == nil || (localIp != nil && localIp.Contains(net.IPv4(0, 0, 0, 0))) {
+	if localIp == nil {
 		if !f.hasSubnets || f.defaultLocalCIDRAny {
 			flc.Any = true
 			return nil
 		}
 
 		localIp = f.assignedCIDR
+	} else if localIp.Contains(net.IPv4(0, 0, 0, 0)) {
+		flc.Any = true
 	}
 
 	flc.LocalCIDR.AddCIDR(localIp, struct{}{})