feat: support allocating public IPv6 addresses from a provider (#2162 )

* feat: support allocating public IPv6 addresses from a provider Add a provider/leaser architecture for public IPv6 address allocation between nodes in the same network: - A node with `--ipv6-public-addr-provider` advertises a delegable public IPv6 prefix (auto-detected from kernel routes or manually configured via `--ipv6-public-addr-prefix`). - Other nodes with `--ipv6-public-addr-auto` request a /128 lease from the selected provider via a new RPC service (PublicIpv6AddrRpc). - Leases have a 30s TTL, renewed every 10s by the client routine. - The provider allocates addresses deterministically from its prefix using instance-UUID-based hashing to prefer stable assignments. - Routes to peer leases are installed on the TUN device, and each client's own /128 is assigned as its IPv6 address. Also includes netlink IPv6 route table inspection, integration tests, and event-driven route/address reconciliation. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-13 17:35:37 +00:00 · 2026-04-26 21:37:34 +08:00
12 changed files with 407 additions and 65 deletions
@@ -202,6 +202,7 @@ pub struct GlobalCtx {
    cached_ipv4: AtomicCell<Option<cidr::Ipv4Inet>>,
    cached_ipv6: AtomicCell<Option<cidr::Ipv6Inet>>,
    public_ipv6_lease: AtomicCell<Option<cidr::Ipv6Inet>>,
    cached_proxy_cidrs: AtomicCell<Option<Vec<ProxyNetworkConfig>>>,
    ip_collector: Mutex<Option<Arc<IPCollector>>>,
@@ -298,6 +299,7 @@ impl GlobalCtx {
            event_bus,
            cached_ipv4: AtomicCell::new(None),
            cached_ipv6: AtomicCell::new(None),
            public_ipv6_lease: AtomicCell::new(None),
            cached_proxy_cidrs: AtomicCell::new(None),
            ip_collector: Mutex::new(Some(Arc::new(IPCollector::new(
@@ -385,6 +387,22 @@ impl GlobalCtx {
        self.cached_ipv6.store(None);
    }
    pub fn get_public_ipv6_lease(&self) -> Option<cidr::Ipv6Inet> {
        self.public_ipv6_lease.load()
    }
    pub fn set_public_ipv6_lease(&self, addr: Option<cidr::Ipv6Inet>) {
        self.public_ipv6_lease.store(addr);
    }
    pub fn is_ip_local_ipv6(&self, ip: &std::net::Ipv6Addr) -> bool {
        self.get_ipv6().map(|x| x.address() == *ip).unwrap_or(false)
            || self
                .get_public_ipv6_lease()
                .map(|x| x.address() == *ip)
                .unwrap_or(false)
    }
    pub fn get_advertised_ipv6_public_addr_prefix(&self) -> Option<cidr::Ipv6Cidr> {
        *self.advertised_ipv6_public_addr_prefix.lock().unwrap()
    }
@@ -413,7 +431,7 @@ impl GlobalCtx {
    pub fn is_ip_local_virtual_ip(&self, ip: &IpAddr) -> bool {
        match ip {
            IpAddr::V4(v4) => self.get_ipv4().map(|x| x.address() == *v4).unwrap_or(false),
-            IpAddr::V6(v6) => self.get_ipv6().map(|x| x.address() == *v6).unwrap_or(false),
+            IpAddr::V6(v6) => self.is_ip_local_ipv6(v6),
        }
    }
@@ -663,23 +681,23 @@ impl GlobalCtx {
    pub fn should_deny_proxy(&self, dst_addr: &SocketAddr, is_udp: bool) -> bool {
        let _g = self.net_ns.guard();
        let ip = dst_addr.ip();
-        // first check if ip is virtual ip
+        // first check if ip is an EasyTier-managed local address
        // then try bind this ip, if succ means it is local ip
-        let dst_is_local_virtual_ip = self.is_ip_local_virtual_ip(&ip);
+        let dst_is_local_et_ip = self.is_ip_local_virtual_ip(&ip);
        // this is an expensive operation, should be called sparingly
        // 1. tcp/kcp/quic call this only after proxy conn is established
        // 2. udp cache the result in nat entry
        let dst_is_local_phy_ip = std::net::UdpSocket::bind(format!("{}:0", ip)).is_ok();
        tracing::trace!(
-            "check should_deny_proxy: dst_addr={}, dst_is_local_virtual_ip={}, dst_is_local_phy_ip={}, is_udp={}",
+            "check should_deny_proxy: dst_addr={}, dst_is_local_et_ip={}, dst_is_local_phy_ip={}, is_udp={}",
            dst_addr,
-            dst_is_local_virtual_ip,
+            dst_is_local_et_ip,
            dst_is_local_phy_ip,
            is_udp
        );
-        if dst_is_local_virtual_ip || dst_is_local_phy_ip {
+        if dst_is_local_et_ip || dst_is_local_phy_ip {
            // if is local ip, make sure the port is not one of the listening ports
            self.is_port_in_running_listeners(dst_addr.port(), is_udp)
                || (!is_udp && protected_port::is_protected_tcp_port(dst_addr.port()))
@@ -808,6 +826,40 @@ pub mod tests {
        protected_port::clear_protected_tcp_ports_for_test();
    }
    #[tokio::test]
    async fn virtual_ipv6_and_public_ipv6_lease_are_stored_separately() {
        let config = TomlConfigLoader::default();
        let global_ctx = GlobalCtx::new(config);
        let virtual_ipv6 = "fd00::1/64".parse().unwrap();
        let public_ipv6 = "2001:db8::2/64".parse().unwrap();
        global_ctx.set_ipv6(Some(virtual_ipv6));
        global_ctx.set_public_ipv6_lease(Some(public_ipv6));
        assert_eq!(global_ctx.get_ipv6(), Some(virtual_ipv6));
        assert_eq!(global_ctx.get_public_ipv6_lease(), Some(public_ipv6));
    }
    #[tokio::test]
    async fn public_ipv6_lease_is_treated_as_local_ip() {
        protected_port::clear_protected_tcp_ports_for_test();
        let config = TomlConfigLoader::default();
        let global_ctx = GlobalCtx::new(config);
        let public_ipv6 = "2001:db8::2/64".parse().unwrap();
        let listener: url::Url = "tcp://[2001:db8::2]:11010".parse().unwrap();
        global_ctx.set_public_ipv6_lease(Some(public_ipv6));
        global_ctx.add_running_listener(listener);
        let ip = std::net::IpAddr::V6(public_ipv6.address());
        let socket = SocketAddr::from((public_ipv6.address(), 11010));
        assert!(global_ctx.is_ip_local_virtual_ip(&ip));
        assert!(global_ctx.should_deny_proxy(&socket, false));
        protected_port::clear_protected_tcp_ports_for_test();
    }
    pub fn get_mock_global_ctx_with_network(
        network_identy: Option<NetworkIdentity>,
    ) -> ArcGlobalCtx {
@@ -720,7 +720,7 @@ async fn check_udp_socket_local_addr(
    let socket = UdpSocket::bind("0.0.0.0:0").await?;
    socket.connect(remote_mapped_addr).await?;
    if let Ok(local_addr) = socket.local_addr() {
-        // local_addr should not be equal to virtual ipv4 or virtual ipv6
+        // local_addr should not be equal to an EasyTier-managed virtual/public address.
        match local_addr.ip() {
            IpAddr::V4(ip) => {
                if global_ctx.get_ipv4().map(|ip| ip.address()) == Some(ip) {
@@ -728,8 +728,8 @@ async fn check_udp_socket_local_addr(
                }
            }
            IpAddr::V6(ip) => {
-                if global_ctx.get_ipv6().map(|ip| ip.address()) == Some(ip) {
+                if global_ctx.is_ip_local_ipv6(&ip) {
-                    return Err(anyhow::anyhow!("local address is virtual ipv6").into());
+                    return Err(anyhow::anyhow!("local address is easytier-managed ipv6").into());
                }
            }
        }
@@ -66,7 +66,8 @@ use super::dns_server::{MAGIC_DNS_FAKE_IP, runner::DnsRunner};
 use super::listeners::ListenerManager;
 use super::public_ipv6_provider::{
    reconcile_public_ipv6_provider_runtime, run_public_ipv6_provider_reconcile_task,
-    validate_public_ipv6_config,
+    should_run_public_ipv6_provider_reconcile, validate_public_ipv6_config,
    validate_public_ipv6_config_values,
 };
 #[cfg(feature = "socks5")]
@@ -256,11 +257,64 @@ pub struct InstanceConfigPatcher {
 }
 impl InstanceConfigPatcher {
    fn parse_ipv6_public_addr_prefix_patch(
        prefix: Option<&str>,
    ) -> Result<Option<Option<cidr::Ipv6Cidr>>, anyhow::Error> {
        let Some(prefix) = prefix else {
            return Ok(None);
        };
        let prefix = prefix.trim();
        if prefix.is_empty() {
            return Ok(Some(None));
        }
        let parsed = prefix
            .parse()
            .with_context(|| format!("failed to parse ipv6 public address prefix: {prefix}"))?;
        Ok(Some(Some(parsed)))
    }
    fn effective_ipv6_for_public_ipv6_validation(
        global_ctx: &ArcGlobalCtx,
        patch: &crate::proto::api::config::InstanceConfigPatch,
        _auto_enabled: bool,
    ) -> Option<cidr::Ipv6Inet> {
        if let Some(ipv6) = patch.ipv6 {
            return Some(ipv6.into());
        }
        global_ctx.get_ipv6()
    }
    fn validate_public_ipv6_patch(
        global_ctx: &ArcGlobalCtx,
        patch: &crate::proto::api::config::InstanceConfigPatch,
    ) -> Result<Option<Option<cidr::Ipv6Cidr>>, anyhow::Error> {
        let parsed_prefix =
            Self::parse_ipv6_public_addr_prefix_patch(patch.ipv6_public_addr_prefix.as_deref())?;
        let auto_enabled = patch
            .ipv6_public_addr_auto
            .unwrap_or(global_ctx.config.get_ipv6_public_addr_auto());
        let provider_enabled = patch
            .ipv6_public_addr_provider
            .unwrap_or(global_ctx.config.get_ipv6_public_addr_provider());
        let prefix =
            parsed_prefix.unwrap_or_else(|| global_ctx.config.get_ipv6_public_addr_prefix());
        let ipv6 = Self::effective_ipv6_for_public_ipv6_validation(global_ctx, patch, auto_enabled);
        validate_public_ipv6_config_values(ipv6, provider_enabled, auto_enabled, prefix)?;
        Ok(parsed_prefix)
    }
    pub async fn apply_patch(
        &self,
        patch: crate::proto::api::config::InstanceConfigPatch,
    ) -> Result<(), anyhow::Error> {
        let patch_for_event = patch.clone();
        let global_ctx = weak_upgrade(&self.global_ctx)?;
        let parsed_ipv6_public_addr_prefix = Self::validate_public_ipv6_patch(&global_ctx, &patch)?;
        self.patch_port_forwards(patch.port_forwards).await?;
        self.patch_acl(patch.acl).await?;
@@ -270,9 +324,7 @@ impl InstanceConfigPatcher {
        self.patch_mapped_listeners(patch.mapped_listeners).await?;
        self.patch_connector(patch.connectors).await?;
-        let global_ctx = weak_upgrade(&self.global_ctx)?;
+        let provider_reconcile_was_running = should_run_public_ipv6_provider_reconcile(&global_ctx);
        let provider_reconcile_was_running = global_ctx.config.get_ipv6_public_addr_provider()
            && global_ctx.config.get_ipv6_public_addr_prefix().is_none();
        let mut provider_config_changed = false;
        if let Some(hostname) = patch.hostname {
            global_ctx.set_hostname(hostname.clone());
@@ -295,16 +347,8 @@ impl InstanceConfigPatcher {
        if let Some(enabled) = patch.ipv6_public_addr_auto {
            global_ctx.config.set_ipv6_public_addr_auto(enabled);
        }
-        if let Some(prefix) = patch.ipv6_public_addr_prefix {
+        if let Some(prefix) = parsed_ipv6_public_addr_prefix {
-            let prefix = prefix.trim();
+            global_ctx.config.set_ipv6_public_addr_prefix(prefix);
            let parsed = if prefix.is_empty() {
                None
            } else {
                Some(prefix.parse().with_context(|| {
                    format!("failed to parse ipv6 public address prefix: {prefix}")
                })?)
            };
            global_ctx.config.set_ipv6_public_addr_prefix(parsed);
            provider_config_changed = true;
        }
@@ -313,8 +357,8 @@ impl InstanceConfigPatcher {
        if provider_config_changed {
            reconcile_public_ipv6_provider_runtime(&global_ctx).await;
-            let provider_reconcile_should_run = global_ctx.config.get_ipv6_public_addr_provider()
+            let provider_reconcile_should_run =
-                && global_ctx.config.get_ipv6_public_addr_prefix().is_none();
+                should_run_public_ipv6_provider_reconcile(&global_ctx);
            if !provider_reconcile_was_running && provider_reconcile_should_run {
                run_public_ipv6_provider_reconcile_task(&global_ctx);
            }
@@ -1587,7 +1631,9 @@ impl Drop for Instance {
 #[cfg(test)]
 mod tests {
    use crate::{
-        instance::instance::InstanceRpcServerHook, proto::rpc_impl::standalone::RpcServerHook,
+        common::global_ctx::tests::get_mock_global_ctx,
        instance::instance::{InstanceConfigPatcher, InstanceRpcServerHook},
        proto::{api::config::InstanceConfigPatch, rpc_impl::standalone::RpcServerHook},
    };
    #[tokio::test]
@@ -1708,4 +1754,50 @@ mod tests {
            }
        }
    }
    #[tokio::test]
    async fn validate_public_ipv6_patch_rejects_non_global_prefix() {
        let global_ctx = get_mock_global_ctx();
        let patch = InstanceConfigPatch {
            ipv6_public_addr_provider: Some(true),
            ipv6_public_addr_prefix: Some("fd00::/64".to_string()),
            ..Default::default()
        };
        let err =
            InstanceConfigPatcher::validate_public_ipv6_patch(&global_ctx, &patch).unwrap_err();
        assert!(
            err.to_string()
                .contains("not a valid global unicast IPv6 prefix")
        );
    }
    #[tokio::test]
    async fn validate_public_ipv6_patch_allows_enabling_auto_with_manual_ipv6() {
        let global_ctx = get_mock_global_ctx();
        global_ctx.set_ipv6(Some("fd00::1/64".parse().unwrap()));
        let patch = InstanceConfigPatch {
            ipv6_public_addr_auto: Some(true),
            ..Default::default()
        };
        assert!(InstanceConfigPatcher::validate_public_ipv6_patch(&global_ctx, &patch).is_ok());
    }
    #[tokio::test]
    async fn validate_public_ipv6_patch_ignores_runtime_auto_ipv6_cache() {
        let global_ctx = get_mock_global_ctx();
        global_ctx.config.set_ipv6_public_addr_auto(true);
        global_ctx.set_ipv6(Some("2001:db8::10/64".parse().unwrap()));
        let patch = InstanceConfigPatch {
            ipv6_public_addr_provider: Some(true),
            ipv6_public_addr_prefix: Some("2001:db8:100::/64".to_string()),
            ..Default::default()
        };
        assert!(InstanceConfigPatcher::validate_public_ipv6_patch(&global_ctx, &patch).is_ok());
    }
 }
@@ -1,7 +1,7 @@
 use std::{path::Path, sync::Arc};
 use anyhow::Context;
-use cidr::Ipv6Cidr;
+use cidr::{Ipv6Cidr, Ipv6Inet};
 #[cfg(target_os = "linux")]
 use netlink_packet_route::route::{RouteAddress, RouteAttribute, RouteMessage, RouteType};
@@ -44,6 +44,12 @@ fn should_run_public_ipv6_provider_reconcile_task(
    config.provider_enabled && config.configured_prefix.is_none()
 }
 pub(super) fn should_run_public_ipv6_provider_reconcile(global_ctx: &ArcGlobalCtx) -> bool {
    should_run_public_ipv6_provider_reconcile_task(read_public_ipv6_provider_config_snapshot(
        global_ctx,
    ))
 }
 fn is_global_routable_public_ipv6_prefix(prefix: Ipv6Cidr) -> bool {
    let addr = prefix.first_address();
    !addr.is_loopback()
@@ -53,21 +59,19 @@ fn is_global_routable_public_ipv6_prefix(prefix: Ipv6Cidr) -> bool {
        && !addr.is_unspecified()
 }
-pub(super) fn validate_public_ipv6_config(global_ctx: &ArcGlobalCtx) -> Result<(), Error> {
+pub(super) fn validate_public_ipv6_config_values(
-    if global_ctx.config.get_ipv6_public_addr_auto() && global_ctx.get_ipv6().is_some() {
+    _ipv6: Option<Ipv6Inet>,
-        return Err(anyhow::anyhow!(
+    provider_enabled: bool,
-            "cannot use --ipv6-public-addr-auto together with a manually set --ipv6; pick one or the other"
+    _auto_enabled: bool,
-        )
+    prefix: Option<Ipv6Cidr>,
-        .into());
+) -> Result<(), Error> {
-    }
+    if !provider_enabled {
    if !global_ctx.config.get_ipv6_public_addr_provider() {
        return Ok(());
    }
    ensure_public_ipv6_provider_supported()?;
-    if let Some(prefix) = global_ctx.config.get_ipv6_public_addr_prefix()
+    if let Some(prefix) = prefix
        && !is_global_routable_public_ipv6_prefix(prefix)
    {
        return Err(anyhow::anyhow!(
@@ -80,6 +84,15 @@ pub(super) fn validate_public_ipv6_config(global_ctx: &ArcGlobalCtx) -> Result<(
    Ok(())
 }
 pub(super) fn validate_public_ipv6_config(global_ctx: &ArcGlobalCtx) -> Result<(), Error> {
    validate_public_ipv6_config_values(
        global_ctx.get_ipv6(),
        global_ctx.config.get_ipv6_public_addr_provider(),
        global_ctx.config.get_ipv6_public_addr_auto(),
        global_ctx.config.get_ipv6_public_addr_prefix(),
    )
 }
 fn ensure_public_ipv6_provider_supported() -> Result<(), Error> {
    if cfg!(target_os = "linux") {
        return Ok(());
@@ -920,7 +920,7 @@ impl NicCtx {
            }
            let src_ipv6 = ipv6.get_source();
            let dst_ipv6 = ipv6.get_destination();
-            let my_ipv6 = mgr.get_global_ctx().get_ipv6().map(|x| x.address());
+            let is_local_src = mgr.get_global_ctx().is_ip_local_ipv6(&src_ipv6);
            tracing::trace!(
                ?ret,
                ?src_ipv6,
@@ -928,14 +928,14 @@ impl NicCtx {
                "[USER_PACKET] recv new packet from tun device and forward to peers."
            );
-            if src_ipv6.is_unicast_link_local() && Some(src_ipv6) != my_ipv6 {
+            if src_ipv6.is_unicast_link_local() && !is_local_src {
                // do not route link local packet to other nodes unless the address is assigned by user
                return;
            }
            // TODO: use zero-copy
            let send_ret = mgr
-                .send_msg_by_ip(ret, IpAddr::V6(dst_ipv6), Some(src_ipv6) == my_ipv6)
+                .send_msg_by_ip(ret, IpAddr::V6(dst_ipv6), is_local_src)
                .await;
            if send_ret.is_err() {
                tracing::trace!(?send_ret, "[USER_PACKET] send_msg failed")
@@ -1356,9 +1356,9 @@ impl NicCtx {
        self.run_proxy_cidrs_route_updater().await?;
        self.run_public_ipv6_route_updater().await?;
-        if self.global_ctx.config.get_ipv6_public_addr_auto() {
+        // Keep the updater running so runtime config patches can enable auto mode
-            self.run_public_ipv6_addr_updater().await?;
+        // without recreating the NIC.
-        }
+        self.run_public_ipv6_addr_updater().await?;
        Ok(())
    }
@@ -292,13 +292,33 @@ impl AclFilter {
        processor.increment_stat(AclStatKey::PacketsTotal);
    }
    fn classify_chain_type(
        is_in: bool,
        packet_info: &PacketInfo,
        my_ipv4: Option<Ipv4Addr>,
        is_local_ipv6: impl Fn(Ipv6Addr) -> bool,
    ) -> ChainType {
        if !is_in {
            return ChainType::Outbound;
        }
        let is_local_dst = packet_info.dst_ip == my_ipv4.unwrap_or(Ipv4Addr::UNSPECIFIED)
            || matches!(packet_info.dst_ip, IpAddr::V6(dst) if is_local_ipv6(dst));
        if is_local_dst {
            ChainType::Inbound
        } else {
            ChainType::Forward
        }
    }
    /// Common ACL processing logic
    pub fn process_packet_with_acl(
        &self,
        packet: &ZCPacket,
        is_in: bool,
        my_ipv4: Option<Ipv4Addr>,
-        my_ipv6: Option<Ipv6Addr>,
+        is_local_ipv6: impl Fn(Ipv6Addr) -> bool,
        route: &(dyn super::route_trait::Route + Send + Sync + 'static),
    ) -> bool {
        if !self.acl_enabled.load(Ordering::Relaxed) {
@@ -323,17 +343,7 @@ impl AclFilter {
            }
        };
-        let chain_type = if is_in {
+        let chain_type = Self::classify_chain_type(is_in, &packet_info, my_ipv4, is_local_ipv6);
            if packet_info.dst_ip == my_ipv4.unwrap_or(Ipv4Addr::UNSPECIFIED)
                || packet_info.dst_ip == my_ipv6.unwrap_or(Ipv6Addr::UNSPECIFIED)
            {
                ChainType::Inbound
            } else {
                ChainType::Forward
            }
        } else {
            ChainType::Outbound
        };
        // Get current processor atomically
        let processor = self.get_processor();
@@ -384,3 +394,55 @@ impl AclFilter {
        }
    }
 }
 #[cfg(test)]
 mod tests {
    use std::{
        net::{IpAddr, Ipv4Addr, Ipv6Addr},
        sync::Arc,
    };
    use crate::{
        common::acl_processor::PacketInfo,
        proto::acl::{ChainType, Protocol},
    };
    use super::AclFilter;
    fn packet_info(dst_ip: IpAddr) -> PacketInfo {
        PacketInfo {
            src_ip: IpAddr::V4(Ipv4Addr::new(10, 0, 0, 1)),
            dst_ip,
            src_port: Some(1234),
            dst_port: Some(80),
            protocol: Protocol::Tcp,
            packet_size: 64,
            src_groups: Arc::new(Vec::new()),
            dst_groups: Arc::new(Vec::new()),
        }
    }
    #[test]
    fn classify_chain_type_treats_public_ipv6_lease_as_inbound() {
        let leased_ipv6 = Ipv6Addr::new(0x2001, 0xdb8, 0x100, 0, 0, 0, 0, 0x123);
        let packet_info = packet_info(IpAddr::V6(leased_ipv6));
        let chain =
            AclFilter::classify_chain_type(true, &packet_info, None, |ip| ip == leased_ipv6);
        assert_eq!(chain, ChainType::Inbound);
    }
    #[test]
    fn classify_chain_type_keeps_non_local_ipv6_as_forward() {
        let leased_ipv6 = Ipv6Addr::new(0x2001, 0xdb8, 0x100, 0, 0, 0, 0, 0x123);
        let packet_info = packet_info(IpAddr::V6(Ipv6Addr::new(
            0x2001, 0xdb8, 0xffff, 2, 0, 0, 0, 0x100,
        )));
        let chain =
            AclFilter::classify_chain_type(true, &packet_info, None, |ip| ip == leased_ipv6);
        assert_eq!(chain, ChainType::Forward);
    }
 }
@@ -1062,7 +1062,7 @@ impl PeerManager {
                        &ret,
                        true,
                        global_ctx.get_ipv4().map(|x| x.address()),
-                        global_ctx.get_ipv6().map(|x| x.address()),
+                        |dst| global_ctx.is_ip_local_ipv6(&dst),
                        &route,
                    ) {
                        continue;
@@ -1342,7 +1342,7 @@ impl PeerManager {
            data,
            false,
            None,
-            None,
+            |_| false,
            &self.get_route(),
        ) {
            return false;
@@ -1544,6 +1544,10 @@ impl PeerManager {
            dst_peers.extend(self.peers.list_routes().await.iter().map(|x| *x.key()));
        } else if let Some(peer_id) = self.peers.get_peer_id_by_ipv6(ipv6_addr).await {
            dst_peers.push(peer_id);
        } else if !ipv6_addr.is_unicast_link_local()
            && let Some(peer_id) = self.get_route().get_public_ipv6_gateway_peer_id().await
        {
            dst_peers.push(peer_id);
        } else if !ipv6_addr.is_unicast_link_local() {
            // NOTE: never route link local address to exit node.
            for exit_node in self.exit_nodes.read().await.iter() {
@@ -1674,7 +1678,7 @@ impl PeerManager {
                    && !self.global_ctx.is_ip_local_virtual_ip(&ip_addr)
                {
                    // Keep the loop-prevention flags for proxy-induced self-delivery where
-                    // the destination is not this node's own virtual IP.
+                    // the destination is not this node's own EasyTier-managed IP.
                    hdr.set_not_send_to_tun(true);
                    hdr.set_no_proxy(true);
                }
@@ -3954,6 +3954,10 @@ impl Route for PeerRoute {
        self.public_ipv6_service.my_addr()
    }
    async fn get_public_ipv6_gateway_peer_id(&self) -> Option<PeerId> {
        self.public_ipv6_service.provider_peer_id_for_client()
    }
    async fn get_local_public_ipv6_info(
        &self,
    ) -> crate::proto::api::instance::ListPublicIpv6InfoResponse {
@@ -41,6 +41,10 @@ impl DirectConnectorRpc for DirectConnectorManagerRpcServer {
            let et_ipv6: crate::proto::common::Ipv6Addr = et_ipv6.address().into();
            ret.interface_ipv6s.retain(|x| *x != et_ipv6);
        }
        if let Some(public_ipv6) = self.global_ctx.get_public_ipv6_lease() {
            let public_ipv6: crate::proto::common::Ipv6Addr = public_ipv6.address().into();
            ret.interface_ipv6s.retain(|x| *x != public_ipv6);
        }
        tracing::trace!(
            "get_ip_list: public_ipv4: {:?}, public_ipv6: {:?}, listeners: {:?}",
            ret.public_ipv4,
@@ -226,9 +226,7 @@ impl PublicIpv6Service {
        if *cached_my_addr != my_addr {
            let old = *cached_my_addr;
            *cached_my_addr = my_addr;
-            if self.global_ctx.config.get_ipv6_public_addr_auto() {
+            self.global_ctx.set_public_ipv6_lease(my_addr);
                self.global_ctx.set_ipv6(my_addr);
            }
            self.global_ctx
                .issue_event(GlobalCtxEvent::PublicIpv6Changed(old, my_addr));
        }
@@ -642,6 +640,11 @@ impl PublicIpv6Service {
        *self.my_addr_cache.lock().unwrap()
    }
    pub(crate) fn provider_peer_id_for_client(&self) -> Option<PeerId> {
        self.current_client_state()
            .map(|state| state.provider.peer_id)
    }
    pub(crate) fn local_provider_state(
        &self,
    ) -> Option<(PublicIpv6Provider, Vec<PublicIpv6ProviderLease>)> {
@@ -844,12 +847,48 @@ fn allocate_public_ipv6_leases(
 #[cfg(test)]
 mod tests {
    use std::collections::{HashMap, HashSet};
    use std::net::Ipv6Addr;
    use std::{
        collections::{HashMap, HashSet},
        sync::{Arc, Mutex},
    };
-    use cidr::Ipv6Cidr;
+    use cidr::{Ipv6Cidr, Ipv6Inet};
-    use super::{PublicIpv6PeerRouteInfo, PublicIpv6Service, allocate_public_ipv6_leases};
+    use crate::{
        common::{PeerId, global_ctx::tests::get_mock_global_ctx},
        peers::peer_rpc::PeerRpcManager,
    };
    use super::{
        PublicIpv6PeerRouteInfo, PublicIpv6RouteControl, PublicIpv6Service, PublicIpv6SyncTrigger,
        allocate_public_ipv6_leases,
    };
    struct TestRouteControl {
        my_peer_id: PeerId,
        peers: Mutex<Vec<PublicIpv6PeerRouteInfo>>,
    }
    impl PublicIpv6RouteControl for TestRouteControl {
        fn my_peer_id(&self) -> PeerId {
            self.my_peer_id
        }
        fn peer_route_snapshot(&self) -> Vec<PublicIpv6PeerRouteInfo> {
            self.peers.lock().unwrap().clone()
        }
        fn publish_self_public_ipv6_lease(&self, _lease: Option<Ipv6Inet>) -> bool {
            false
        }
    }
    struct TestSyncTrigger;
    impl PublicIpv6SyncTrigger for TestSyncTrigger {
        fn sync_now(&self, _reason: &str) {}
    }
    #[test]
    fn public_ipv6_lease_allocator_keeps_stable_addresses() {
@@ -939,4 +978,64 @@ mod tests {
        assert!(leases.is_empty());
    }
    #[tokio::test]
    async fn reconcile_runtime_clears_public_ipv6_lease_when_auto_is_disabled() {
        let global_ctx = get_mock_global_ctx();
        global_ctx.config.set_ipv6_public_addr_auto(false);
        let virtual_addr = "fd00::1/64".parse().unwrap();
        let stale_addr = "2001:db8::123/64".parse().unwrap();
        global_ctx.set_ipv6(Some(virtual_addr));
        global_ctx.set_public_ipv6_lease(Some(stale_addr));
        let service = Arc::new(PublicIpv6Service::new(
            global_ctx.clone(),
            std::sync::Weak::<PeerRpcManager>::new(),
            Arc::new(TestRouteControl {
                my_peer_id: 1,
                peers: Mutex::new(Vec::new()),
            }),
            Arc::new(TestSyncTrigger),
        ));
        *service.my_addr_cache.lock().unwrap() = Some(stale_addr);
        service.reconcile_runtime_from_snapshot(&[]);
        assert_eq!(*service.my_addr_cache.lock().unwrap(), None);
        assert_eq!(global_ctx.get_ipv6(), Some(virtual_addr));
        assert_eq!(global_ctx.get_public_ipv6_lease(), None);
    }
    #[tokio::test]
    async fn reconcile_runtime_keeps_virtual_ipv6_when_public_lease_changes() {
        let global_ctx = get_mock_global_ctx();
        global_ctx.config.set_ipv6_public_addr_auto(true);
        let virtual_addr = "fd00::1/64".parse().unwrap();
        let public_addr = "2001:db8::123/64".parse().unwrap();
        global_ctx.set_ipv6(Some(virtual_addr));
        let service = Arc::new(PublicIpv6Service::new(
            global_ctx.clone(),
            std::sync::Weak::<PeerRpcManager>::new(),
            Arc::new(TestRouteControl {
                my_peer_id: 1,
                peers: Mutex::new(vec![PublicIpv6PeerRouteInfo {
                    peer_id: 1,
                    inst_id: Some(uuid::Uuid::from_u128(1)),
                    is_provider: false,
                    prefix: None,
                    lease: Some(public_addr),
                    reachable: true,
                }]),
            }),
            Arc::new(TestSyncTrigger),
        ));
        service.reconcile_runtime();
        assert_eq!(global_ctx.get_ipv6(), Some(virtual_addr));
        assert_eq!(global_ctx.get_public_ipv6_lease(), Some(public_addr));
    }
 }
@@ -105,6 +105,10 @@ pub trait Route {
        None
    }
    async fn get_public_ipv6_gateway_peer_id(&self) -> Option<PeerId> {
        None
    }
    async fn get_local_public_ipv6_info(&self) -> ListPublicIpv6InfoResponse {
        ListPublicIpv6InfoResponse::default()
    }
@@ -3599,7 +3599,15 @@ pub async fn config_patch_test() {
    };
    use crate::tunnel::common::tests::_tunnel_pingpong_netns_with_timeout;
-    let insts = init_three_node("udp").await;
+    let insts = init_three_node_ex(
        "udp",
        |cfg| {
            cfg.set_ipv6(None);
            cfg
        },
        false,
    )
    .await;
    check_route(
        "10.144.144.2/24",