Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Static ts-input rule removed from INPUT when --netfilter-mode=nodivert used #12185

Open
fincham opened this issue May 18, 2024 · 1 comment
Open

Static ts-input rule removed from INPUT when --netfilter-mode=nodivert used #12185

fincham opened this issue May 18, 2024 · 1 comment
Labels
bug Bug needs-triage OS-linux

Comments

@fincham
Copy link

fincham commented May 18, 2024
edited

What is the issue?

I'd like to specify where in my INPUT and FORWARD chains the ts-input and ts-forward jumps are called, but I still want tailscaled to manage the contents of ts-input and ts-forward for me. The documentation implies that --netfilter-mode=nodivert is the solution to this, but when I start tailscaled it removes my references to ts-input from INPUT and ts-forward from FORWARD.

It doesn't seem like nodivert can be used at the moment when tailscaled removes references to ts-input and ts-forward during startup.

Steps to reproduce

tailscaled is configured with the following options:

tailscale up --accept-dns=false --advertise-routes=192.168.122.0/24 --exit-node=100.91.168.145  --exit-node-allow-lan-access --netfilter-mode=nodivert

Here I am re-loading the following rules with empty ts-input and ts-forward chains so that I can reference them:

root@intent:/etc/iptables# cat /etc/iptables/rules.v4
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ts-forward - [0:0]
:ts-input - [0:0]
-A ts-input -j RETURN
-A ts-forward -j RETURN
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j ts-input
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -o tailscale+ -j ACCEPT
-A FORWARD -j ts-forward
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tailscale+ -j MASQUERADE -s 192.168.122.0/24 ! -d 100.64.0.0/10
COMMIT

If I load these rules then start tailscaled it removes -A INPUT -j ts-input and -A FORWARD -j ts-forward:

root@intent:/etc/iptables# iptables-restore /etc/iptables/rules.v4
root@intent:/etc/iptables# iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   35  2468 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ts-input   0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      tailscale+  192.168.122.0/24     0.0.0.0/0           
    0     0 ts-forward  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 18 packets, 1640 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain ts-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ts-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0 
root@intent:/etc/iptables# service tailscaled start
root@intent:/etc/iptables# iptables -L -v -n
Chain INPUT (policy DROP 1 packets, 152 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  393 50760 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    1    90 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     1    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      tailscale+  192.168.122.0/24     0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 131 packets, 23103 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain ts-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       0    --  tailscale0 *       0.0.0.0/0            0.0.0.0/0            MARK xset 0x40000/0xff0000
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000
    0     0 DROP       0    --  *      tailscale0  100.64.0.0/10        0.0.0.0/0           
    0     0 DROP       0    --  *      tailscale0  0.0.0.0/0            0.0.0.0/0            ! ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     0    --  *      tailscale0  0.0.0.0/0            0.0.0.0/0           

Chain ts-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     0    --  lo     *       100.99.217.79        0.0.0.0/0           
    0     0 RETURN     0    --  !tailscale0 *       100.115.92.0/23      0.0.0.0/0           
    0     0 DROP       0    --  !tailscale0 *       100.64.0.0/10        0.0.0.0/0           
    0     0 ACCEPT     0    --  tailscale0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:41641

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

Debian 12

Tailscale version

1.66.3

Other software

iptables-persistent

Bug report

BUG-613a56c19bf4379b3e32fa66e326edee6620886e8dd6f31591ce751034430181-20240518223505Z-b2648a70a5338df2
@fincham
Copy link
Author

fincham commented May 18, 2024

A workaround is to add an extra step so that ts-input and ts-forward are not directly referenced in INPUT and FORWARD, but this is pretty ugly:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ts-forward - [0:0]
:ts-input - [0:0]
:sneaky-input - [0:0]
:sneaky-forward - [0:0]
-A sneaky-input -j ts-input
-A sneaky-forward -j ts-forward
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j sneaky-input
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -o tailscale+ -j ACCEPT
-A FORWARD -j sneaky-forward
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tailscale+ -j MASQUERADE -s 192.168.122.0/24 ! -d 100.64.0.0/10
COMMIT

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Bug needs-triage OS-linux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fincham @irbekrm