tailscale
tailscale copied to clipboard
ipn/ipnlocal: show warnings about reverse path filtering
Updates tailscale/tailscale#4432 Depends on tailscale/tailscale-www#1656
Change-Id: I519656b70d07a61b9308aad196fba982fc3ca8fc Signed-off-by: Andrew Dunham [email protected]
This is what it looks like on my local machine:
$ sudo curl -fsS --unix-socket /tmp/tailscaled.usermode.sock http://localhost/localapi/v0/check-ip-forwarding | jq -r .Warning
IPv6 forwarding is disabled.
Subnet routes and exit nodes may not work correctly.
See https://tailscale.com/kb/1104/enable-ip-forwarding/
Interface docker0 has strict reverse-path filtering enabled
Subnet routes and exit nodes may not work correctly.
I'm no expert on this, but I think this may not be sufficient; we may want to actually run this on all calls to tailscale up
, not just when we're advertising an exit node (which is when we currently check IP forwarding). Thoughts? I can pull this out into a new local endpoint without too much difficulty, if so?
@danderson - I think this is me being bad at reading comprehension; strict rp_filter
breaks clients, not exit nodes. Pushed a change to have this run on all calls to tailscale up
instead; thoughts?
This would also need to check for an iptables or nftables rule invoking the rpfilter
netfilter module; AFAICT the rp_filter
sysctl is deprecated.
There is hope of fixing the underlying problem so that we don't need a warning though, see discussions in https://github.com/tailscale/tailscale/issues/3310#issuecomment-1271412885 and https://github.com/tailscale/tailscale/issues/4432.
Force-pushed over this to just implement the "check for rp_filter
" functionality, and will defer using it to another PR.