v1.66.x breaks MagicDNS without --stateful-filtering=false

[icebladerage]

What is the issue?

Upgrading to 1.66.x causes Tailscale to stop controlling DNS without setting stateful-filtering to false.

The endpoint in question does not function as a subnet router or exit node. Docker is not installed.

As soon as tailscale upgrades, this is logged:

May 9 23:53:21 machine tailscaled[223811]: health("overall"): error: router: adding [-o tailscale0 -m conntrack ! --ctstate ESTABLISHED,RELATED -j DROP] in filter/ts-forward: running [/usr/sbin/iptables -t filter -I ts-forward 4 -o tailscale0 -m conntrack ! --ctstate ESTABLISHED,RELATED -j DROP --wait]: exit status 2: iptables v1.8.7 (nf_tables): Couldn't load match `conntrack':No such file or directory

This does not occur in 1.64.0. In order for this to work in 1.66.x, tailscale needs the stateful-filtering=false flag set.

Steps to reproduce

Upgrade tailscale to 1.66 or 1.66.1

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

PopOS 22.04

Tailscale version

1.64.0-1.66.x

Other software

No response

Bug report

No response

[awly]

@icebladerage it appears that your host does not have conntrack installed, which is typically present on most Linux systems these days.
Can you try sudo apt install conntrack and see if that allows tailscale set --stateful-filtering=true to work?

[icebladerage]

Installed and set. So far so good. If I get time, I will install a blank popos and see if that is a default, as I cannot' recall ever messing with that on this install.

[awly]

Thanks for confirming! Please reopen this issue if you find that a fresh install has the same problem. We currently assume that conntrack is installed by default in most distros.