You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'd like to specify where in my INPUT and FORWARD chains the ts-input and ts-forward jumps are called, but I still want tailscaled to manage the contents of ts-input and ts-forward for me. The documentation implies that --netfilter-mode=nodivert is the solution to this, but when I start tailscaled it removes my references to ts-input from INPUT and ts-forward from FORWARD.
It doesn't seem like nodivert can be used at the moment when tailscaled removes references to ts-input and ts-forward during startup.
Steps to reproduce
tailscaled is configured with the following options:
tailscale up --accept-dns=false --advertise-routes=192.168.122.0/24 --exit-node=100.91.168.145 --exit-node-allow-lan-access --netfilter-mode=nodivert
Here I am re-loading the following rules with empty ts-input and ts-forward chains so that I can reference them:
root@intent:/etc/iptables# cat /etc/iptables/rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ts-forward - [0:0]
:ts-input - [0:0]
-A ts-input -j RETURN
-A ts-forward -j RETURN
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j ts-input
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -o tailscale+ -j ACCEPT
-A FORWARD -j ts-forward
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tailscale+ -j MASQUERADE -s 192.168.122.0/24 ! -d 100.64.0.0/10
COMMIT
If I load these rules then start tailscaled it removes -A INPUT -j ts-input and -A FORWARD -j ts-forward:
What is the issue?
I'd like to specify where in my
INPUT
andFORWARD
chains thets-input
andts-forward
jumps are called, but I still wanttailscaled
to manage the contents ofts-input
andts-forward
for me. The documentation implies that--netfilter-mode=nodivert
is the solution to this, but when I starttailscaled
it removes my references tots-input
fromINPUT
andts-forward
fromFORWARD
.It doesn't seem like
nodivert
can be used at the moment whentailscaled
removes references tots-input
andts-forward
during startup.Steps to reproduce
tailscaled
is configured with the following options:Here I am re-loading the following rules with empty
ts-input
andts-forward
chains so that I can reference them:If I load these rules then start
tailscaled
it removes-A INPUT -j ts-input
and-A FORWARD -j ts-forward
:Are there any recent changes that introduced the issue?
No response
OS
Linux
OS version
Debian 12
Tailscale version
1.66.3
Other software
iptables-persistent
Bug report
BUG-613a56c19bf4379b3e32fa66e326edee6620886e8dd6f31591ce751034430181-20240518223505Z-b2648a70a5338df2
The text was updated successfully, but these errors were encountered: