cafkafk/nixpkgs
cafkafk/nixpkgs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 2

nixos/tailscale: warn if strict reverse path filtering is in use.

Browse source 
Tailscale uses policy routing to enable certain traffic to bypass
routes that lead into the Tailscale mesh. NixOS's reverse path
filtering setup doesn't understand the policy routing at play,
and so incorrectly interprets some of this traffic as spoofed.

Since this only breaks some features of Tailscale, merely warn
users about it, rather than make it a hard error.

Updates tailscale/tailscale#4432

Signed-off-by: David Anderson <dave@natulte.net>
This commit is contained in:
David Anderson 2022-05-05 18:15:54 -07:00
parent e6b94ad07e
commit 3fdac0f981
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nixos/modules/services/networking/tailscale.nix
View file

@ -2,7 +2,11 @@
with lib;
let cfg = config.services.tailscale;
let
cfg = config.services.tailscale;
firewallOn = config.networking.firewall.enable;
rpfMode = config.networking.firewall.checkReversePath;
rpfIsStrict = rpfMode == true || rpfMode == "strict";
in {
meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ];
@ -36,6 +40,7 @@ in {
};
config = mkIf cfg.enable {
warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'";
environment.systemPackages = [ cfg.package ]; # for the CLI
systemd.packages = [ cfg.package ];
systemd.services.tailscaled = {