From 9ef14ee070be25aeb584d3283746c9d931b27be9 Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Sun, 6 Oct 2024 09:46:47 +0000
Subject: [PATCH] fix(firewall): deduplicate ipv6 multicast output accept rules

---
 internal/firewall/enable.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/internal/firewall/enable.go b/internal/firewall/enable.go
index 415076bc..94810784 100644
--- a/internal/firewall/enable.go
+++ b/internal/firewall/enable.go
@@ -106,12 +106,20 @@ func (c *Config) enable(ctx context.Context) (err error) {
 		return err
 	}
 
+	localInterfaces := make(map[string]struct{}, len(c.localNetworks))
 	for _, network := range c.localNetworks {
 		if err := c.acceptOutputFromIPToSubnet(ctx, network.InterfaceName, network.IP, network.IPNet, remove); err != nil {
 			return err
 		}
-		if err = c.acceptIpv6MulticastOutput(ctx, network.InterfaceName, remove); err != nil {
-			return err
+
+		_, localInterfaceSeen := localInterfaces[network.InterfaceName]
+		if localInterfaceSeen {
+			continue
+		}
+		localInterfaces[network.InterfaceName] = struct{}{}
+		err = c.acceptIpv6MulticastOutput(ctx, network.InterfaceName, remove)
+		if err != nil {
+			return fmt.Errorf("accepting IPv6 multicast output: %w", err)
 		}
 	}