Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stateful packet filtering in nftables drops non-Tailscale traffic (1.66) #12066

Closed
aenron opened this issue May 9, 2024 · 8 comments
Closed

Stateful packet filtering in nftables drops non-Tailscale traffic (1.66) #12066

aenron opened this issue May 9, 2024 · 8 comments
Assignees
@awly
Labels
bug Bug L3 Some users Likelihood OS-linux P5 Halts deployment Priority level T6 Major usability Issue type

Comments

@aenron
Copy link

aenron commented May 9, 2024

What is the issue?

I have an OpenWRT router(x86) with Tailscale installed, configured as an exit node and subnet. After updating to version 1.66, the devices under the router cannot ping public IP addresses such as 1.1.1.1, but can still ping Tailscale's private IP address. Additionally, the router itself can ping public IP addresses, but only the devices under the router cannot ping them.

When I run a "tailscale netcheck" command, it showed that UDP, IPv6, DERP were all false.

However, after rolling back to version 1.64.0, everything returned to normal.

Steps to reproduce

No response

Are there any recent changes that introduced the issue?

No response

OS

Other

OS version

openwrt 23.05.02

Tailscale version

1.66.0

Other software

No response

Bug report

No response
@icio
Copy link
Contributor

icio commented May 9, 2024
edited

Hi @aenron, can you please share some more details about the network flow that's being disrupted here? Are these LAN devices unable to connect to the public internet through the router, e.g. a PC on 192.168.1.7 connecting to the router via eth0 cannot reach 1.1.1.1? Do these LAN devices have Tailscale installed, or is Tailscale only installed on the router?

1.66 included a change related to security-bulletin https://tailscale.com/security-bulletins#ts-2024-005 which might be affecting your setup:

Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.
https://tailscale.com/changelog#2024-05-08-client

I wonder whether your router is running with --snat-subnet-routes=true and what happens if you set --stateful-filtering=false?

If you can also grab a tailscale bugreport bug ID that will help us look at your setup.

Thanks

Update: we're investigating whether this is a bug - the above should help mitigate it in the mean time.

knyar added a commit that referenced this issue May 9, 2024
@knyar
util/linuxfw: fix stateful packet filtering in nftables mode
728b689 
To match iptables:
https://github.com/tailscale/tailscale/blob/b5dbf155b1b0fbd5947160d8bca4085c6ff039a5/util/linuxfw/iptables_runner.go#L536

Updates #12066

Signed-off-by: Anton Tolchanov <[email protected]>
@knyar knyar mentioned this issue May 9, 2024
Merged
@knyar knyar changed the title updating to version 1.66, ping is not responding Stateful packet filtering in nftables drops non-Tailscale traffic (1.66) May 9, 2024
@knyar
Copy link
Contributor

knyar commented May 9, 2024
edited

Thank you for the report! This is a regression introduced in 1.66 as part of stateful packet filtering aimed to migitate the TS-2024-005 issue.

I think this only impacts packet-forwarding nodes (exit nodes, subnet routers) running on Linux with nftables firewall mode.

We expect to build a stable release with a fix shortly. Meanwhile, you can do one of the following:

  • Disable stateful packet filtering via tailscale up --stateful-filtering=false
  • On systems that support iptables CLI, install it and run tailscaled with TS_DEBUG_FIREWALL_MODE environment variable set to iptables.

@knyar knyar self-assigned this May 9, 2024
@knyar knyar mentioned this issue May 9, 2024
Closed
@geberl geberl mentioned this issue May 9, 2024
Closed
knyar added a commit that referenced this issue May 9, 2024
@knyar
util/linuxfw: fix stateful packet filtering in nftables mode
ac638f3 
To match iptables:
https://github.com/tailscale/tailscale/blob/b5dbf155b1b0fbd5947160d8bca4085c6ff039a5/util/linuxfw/iptables_runner.go#L536

Updates #12066

Signed-off-by: Anton Tolchanov <[email protected]>
@aenron
Copy link
Author

aenron commented May 9, 2024

Hi @aenron, can you please share some more details about the network flow that's being disrupted here? Are these LAN devices unable to connect to the public internet through the router, e.g. a PC on 192.168.1.7 connecting to the router via eth0 cannot reach 1.1.1.1? Do these LAN devices have Tailscale installed, or is Tailscale only installed on the router?

1.66 included a change related to security-bulletin https://tailscale.com/security-bulletins#ts-2024-005 which might be affecting your setup:

Site-to-site networking now also requires --stateful-filtering=false in addition to --snat-subnet-routes=false on new subnet routers. Existing subnet routers with --snat-subnet-routes=false will default to --stateful-filtering=false.
https://tailscale.com/changelog#2024-05-08-client

I wonder whether your router is running with --snat-subnet-routes=true and what happens if you set --stateful-filtering=false?

If you can also grab a tailscale bugreport bug ID that will help us look at your setup.

Thanks

Update: we're investigating whether this is a bug - the above should help mitigate it in the mean time.

tailscale bugreport:BUG-eed0c23a1df9f3a1671a9ca2be015fdce42e5cd9096d380fe4927b7e3c187c9d-20240509142755Z-69de24189f9b173b
my startup is: tailscale up --advertise-routes=192.168.2.0/24 --accept-routes --advertise-exit-node --accept-dns=false, and the rest of the parameters are kept as default. When I use tailscale up --stateful-filtering=false, the problem is solved.It is nftables used on Linux, and I hope this information helps resolve the issue.

awly pushed a commit that referenced this issue May 9, 2024
@knyar @awly
util/linuxfw: fix stateful packet filtering in nftables mode
60d8965 
To match iptables:
https://github.com/tailscale/tailscale/blob/b5dbf155b1b0fbd5947160d8bca4085c6ff039a5/util/linuxfw/iptables_runner.go#L536

Updates #12066

Signed-off-by: Anton Tolchanov <[email protected]>
(cherry picked from commit ac638f3)
@plEase939
Copy link

tailscale up --stateful-filtering=false Resolved my issue for now. Got panic got multiple alerts of services being down and rushed here. All exit nodes are showing on devices.

@awly
Copy link
Contributor

awly commented May 9, 2024

We released 1.66.1 with the fix: https://tailscale.com/changelog#2024-05-09

@awly awly self-assigned this May 9, 2024
@shladek
Copy link

shladek commented May 9, 2024

Can confirm the fix is working on my simple nftables router that has tailscale installed.

@knyar knyar removed their assignment May 10, 2024
@keslerm
Copy link

keslerm commented May 10, 2024

This is still an issue in 1.66.1 it would seem, our nodes that were created and running 1.66.1 still need --stateful-filtering=false to restore connectivity in docker containers to anything outside of tailscale.

@awly
Copy link
Contributor

awly commented May 10, 2024

@keslerm that is a separate issue, see #12070

@awly awly closed this as completed May 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@awly awly

Labels
bug Bug L3 Some users Likelihood OS-linux P5 Halts deployment Priority level T6 Major usability Issue type
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@icio @awly @knyar @keslerm @aenron @shladek @plEase939