The wg+ wildcard in the server isolation DROP rule was also matching
same-interface traffic (wg0->wg0), blocking clients from pinging each
other even with Client Isolation turned off.
Fix: always insert an explicit same-interface ACCEPT (or REJECT if
isolated) rule AFTER the wg+ DROP, so it lands at position 1 in the
chain and is evaluated before the DROP.
Also update syncIptablesRules to apply the ACCEPT rule (not just remove
the REJECT) when isolation is toggled off at runtime.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
wg syncconf does not execute PostUp/PostDown, so toggling isolate_clients
had no effect until container restart. Add syncIptablesRules() to directly
apply/remove the REJECT rule after every syncconf call.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
