Merge branch 'dev'

tailscale/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.18.0.4 (forked)
+
+- Make stateful-filtering configurable
+
 ## 0.18.0.3 (forked)
 
 - Merge unreleased changes from community add-on

tailscale/DOCS.md

@@ -5,6 +5,7 @@
 > This is a **fork** of the [community add-on][community_addon]!
 >
 > Changes:
+>   - Make stateful-filtering configurable
 >   - Release unreleased changes from community add-on:
 >     - Update tailscale/tailscale to v1.66.3
 >     - Linux optimizations for subnet routers and exit nodes ([details](https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes))
@@ -109,6 +110,7 @@ login_server: "https://controlplane.tailscale.com"
 proxy: false
 proxy_and_funnel_port: 443
 snat_subnet_routes: true
+stateful_filtering: true
 tags:
   - tag:example
   - tag:homeassistant
@@ -352,8 +354,23 @@ router, and this simplifies routing configuration.
 When not set, this option is enabled by default.
 
 To support advanced [Site-to-site networking][tailscale_info_site_to_site] (eg.
-to traverse multiple networks), you can disable this functionality. But do it
-only when you really understand why you need this.
+to traverse multiple networks), you can disable this functionality, and execute
+steps 2 and 3 as described on [Site-to-site
+networking][tailscale_info_site_to_site]. But do it only when you really
+understand why you need this.
+
+### Option: `stateful_filtering`
+
+This option enables stateful packet filtering on packet-forwarding nodes (exit
+nodes, subnet routers, and app connectors), to only allow return packets for
+existing outbound connections. Inbound packets that don't belong to an existing
+connection are dropped.
+
+When not set, this option is enabled by default.
+
+To support basic [Site-to-site networking][tailscale_info_site_to_site], you can
+disable this functionality, and execute steps 2 and 3 as described on
+[Site-to-site networking][tailscale_info_site_to_site].
 
 ### Option: `tags`
 
@@ -385,8 +402,8 @@ instance, disable userspace networking mode, which will create a `tailscale0`
 network interface on your host.
 
 If you want to access other clients on your tailnet even from your local subnet,
-execute steps 2 and 3 as described on [Site-to-site
-networking][tailscale_info_site_to_site].
+disable `stateful_filtering` and execute steps 2 and 3 as described on
+[Site-to-site networking][tailscale_info_site_to_site].
 
 In case your local subnets collide with subnet routes within your tailnet, your
 local network access has priority, and these addresses won't be routed toward

tailscale/README.md

@@ -7,6 +7,7 @@ Zero config VPN for building secure networks.
 > This is a **fork** of the [community add-on][community_addon]!
 >
 > Changes:
+>   - Make stateful-filtering configurable
 >   - Release unreleased changes from community add-on:
 >     - Update tailscale/tailscale to v1.66.3
 >     - Linux optimizations for subnet routers and exit nodes ([details](https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes))

tailscale/config.yaml

@@ -1,6 +1,6 @@
 ---
 name: Tailscale with features
-version: 0.18.0.3
+version: 0.18.0.4
 slug: tailscale
 description: Zero config VPN for building secure networks
 url: https://github.com/lmagyar/homeassistant-addon-tailscale
@@ -40,6 +40,7 @@ schema:
   proxy: bool?
   proxy_and_funnel_port: match(^(443|8443|10000)$)?
   snat_subnet_routes: bool?
+  stateful_filtering: bool?
   tags:
     - "match(^tag:[a-zA-Z][a-zA-Z0-9-]*$)?"
   taildrop: bool?

tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run

@@ -55,6 +55,15 @@ then
   options+=(--login-server="${login_server}")
 fi
 
+# Support basic site-to-site networking, disable stateful filtering
+if ! bashio::config.has_value "stateful_filtering" || \
+  bashio::config.true "stateful_filtering";
+then
+  options+=(--stateful-filtering)
+else
+  options+=(--stateful-filtering=false)
+fi
+
 # Support advanced site-to-site networking, disable source addresses NAT
 if ! bashio::config.has_value "snat_subnet_routes" || \
   bashio::config.true "snat_subnet_routes";
@@ -142,16 +151,16 @@ fi
 
 # Warn about invalid certificate service configuration (can't be checked by the UI)
 if (bashio::config.has_value "lets_encrypt_certfile" && ! bashio::config.has_value "lets_encrypt_keyfile") ||
-    (! bashio::config.has_value "lets_encrypt_certfile" && bashio::config.has_value "lets_encrypt_keyfile");
+  (! bashio::config.has_value "lets_encrypt_certfile" && bashio::config.has_value "lets_encrypt_keyfile");
 then
-    bashio::log.warning \
-        "Both 'lets_encrypt' options ('lets_encrypt_certfile' and 'lets_encrypt_keyfile')" \
-        "has to be specified or omitted together."
+  bashio::log.warning \
+    "Both 'lets_encrypt' options ('lets_encrypt_certfile' and 'lets_encrypt_keyfile')" \
+    "has to be specified or omitted together."
 fi
 
 # Notify about userspace networking
 if ! bashio::config.has_value "userspace_networking" || \
-    bashio::config.true "userspace_networking";
+  bashio::config.true "userspace_networking";
 then
   bashio::log.notice "The add-on uses userspace networking mode."
   bashio::log.notice "If you need to access other clients on your tailnet from your Home Assistant instance,"

tailscale/translations/en.yaml

@@ -74,6 +74,14 @@ configuration:
       To support advanced Site-to-site networking (eg. to traverse multiple
       networks), you can disable this functionality.
       When not set, this option is enabled by default.
+  stateful_filtering:
+    name: Stateful packet filtering
+    description: >-
+      This option enables stateful packet filtering on packet-forwarding nodes (exit
+      nodes, subnet routers, and app connectors), to only allow return packets for
+      existing outbound connections.
+      To support basic Site-to-site networking, you can disable this functionality.
+      When not set, this option is enabled by default.
   tags:
     name: Tags
     description: >-