From a6c71605ea1e948803b9d182166f83042b0b6d19 Mon Sep 17 00:00:00 2001 From: Laszlo Magyar Date: Thu, 16 May 2024 22:47:50 +0200 Subject: [PATCH 1/6] stateful_filtering option --- tailscale/DOCS.md | 30 ++++++++++++++++--- tailscale/config.yaml | 1 + .../s6-overlay/s6-rc.d/post-tailscaled/run | 17 +++++++++++ tailscale/translations/en.yaml | 8 +++++ 4 files changed, 52 insertions(+), 4 deletions(-) diff --git a/tailscale/DOCS.md b/tailscale/DOCS.md index 60f7b67b..bb9bca9e 100644 --- a/tailscale/DOCS.md +++ b/tailscale/DOCS.md @@ -109,6 +109,7 @@ login_server: "https://controlplane.tailscale.com" proxy: false proxy_and_funnel_port: 443 snat_subnet_routes: true +stateful_filtering: true tags: - tag:example - tag:homeassistant @@ -352,8 +353,29 @@ router, and this simplifies routing configuration. When not set, this option is enabled by default. To support advanced [Site-to-site networking][tailscale_info_site_to_site] (eg. -to traverse multiple networks), you can disable this functionality. But do it -only when you really understand why you need this. +to traverse multiple networks), you can disable this functionality, and execute +steps 2 and 3 as described on [Site-to-site +networking][tailscale_info_site_to_site]. But do it only when you really +understand why you need this. + +**Note:** If `snat_subnet_routes` is disabled, consider disabling +`stateful_filtering` also. + +### Option: `stateful_filtering` + +This option enables stateful packet filtering on packet-forwarding nodes (exit +nodes, subnet routers, and app connectors), to only allow return packets for +existing outbound connections. Inbound packets that don't belong to an existing +connection are dropped. + +When not set, this option is enabled by default. + +To support basic [Site-to-site networking][tailscale_info_site_to_site], you can +disable this functionality, and execute steps 2 and 3 as described on +[Site-to-site networking][tailscale_info_site_to_site]. + +**Note:** If `snat_subnet_routes` is disabled, consider disabling +`stateful_filtering` also. ### Option: `tags` @@ -385,8 +407,8 @@ instance, disable userspace networking mode, which will create a `tailscale0` network interface on your host. If you want to access other clients on your tailnet even from your local subnet, -execute steps 2 and 3 as described on [Site-to-site -networking][tailscale_info_site_to_site]. +disable `stateful_filtering` and execute steps 2 and 3 as described on +[Site-to-site networking][tailscale_info_site_to_site]. In case your local subnets collide with subnet routes within your tailnet, your local network access has priority, and these addresses won't be routed toward diff --git a/tailscale/config.yaml b/tailscale/config.yaml index fb52acea..7beeda5f 100644 --- a/tailscale/config.yaml +++ b/tailscale/config.yaml @@ -40,6 +40,7 @@ schema: proxy: bool? proxy_and_funnel_port: match(^(443|8443|10000)$)? snat_subnet_routes: bool? + stateful_filtering: bool? tags: - "match(^tag:[a-zA-Z][a-zA-Z0-9-]*$)?" taildrop: bool? diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run index caedc662..a604e28d 100755 --- a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run +++ b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run @@ -55,6 +55,15 @@ then options+=(--login-server="${login_server}") fi +# Support basic site-to-site networking, disable stateful filtering +if ! bashio::config.has_value "stateful_filtering" || \ + bashio::config.true "stateful_filtering"; +then + options+=(--stateful-filtering) +else + options+=(--stateful-filtering=false) +fi + # Support advanced site-to-site networking, disable source addresses NAT if ! bashio::config.has_value "snat_subnet_routes" || \ bashio::config.true "snat_subnet_routes"; @@ -149,6 +158,14 @@ then "has to be specified or omitted together." fi +# Notify about unusual site-to-site networking configuration +if (! bashio::config.has_value "stateful_filtering" || \ + bashio::config.true "stateful_filtering") && \ + bashio::config.false "snat_subnet_routes"; +then + bashio::log.notice "When snat_subnet_routes is disabled, consider disabling stateful_filtering also." +fi + # Notify about userspace networking if ! bashio::config.has_value "userspace_networking" || \ bashio::config.true "userspace_networking"; diff --git a/tailscale/translations/en.yaml b/tailscale/translations/en.yaml index 5162e635..7d576be0 100644 --- a/tailscale/translations/en.yaml +++ b/tailscale/translations/en.yaml @@ -74,6 +74,14 @@ configuration: To support advanced Site-to-site networking (eg. to traverse multiple networks), you can disable this functionality. When not set, this option is enabled by default. + stateful_filtering: + name: Stateful packet filtering + description: >- + This option enables stateful packet filtering on packet-forwarding nodes (exit + nodes, subnet routers, and app connectors), to only allow return packets for + existing outbound connections. + To support basic Site-to-site networking, you can disable this functionality. + When not set, this option is enabled by default. tags: name: Tags description: >- From d2c367f03d968bec382a168821c0439f3331b402 Mon Sep 17 00:00:00 2001 From: Laszlo Magyar Date: Thu, 16 May 2024 23:05:18 +0200 Subject: [PATCH 2/6] update changelog and custom docs --- tailscale/CHANGELOG.md | 4 ++++ tailscale/DOCS.md | 1 + tailscale/README.md | 1 + 3 files changed, 6 insertions(+) diff --git a/tailscale/CHANGELOG.md b/tailscale/CHANGELOG.md index 3459effd..1f837fa5 100644 --- a/tailscale/CHANGELOG.md +++ b/tailscale/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## vNext (forked) + +- Make stateful-filtering configurable + ## 0.18.0.3 (forked) - Merge unreleased changes from community add-on diff --git a/tailscale/DOCS.md b/tailscale/DOCS.md index bb9bca9e..16ef0444 100644 --- a/tailscale/DOCS.md +++ b/tailscale/DOCS.md @@ -5,6 +5,7 @@ > This is a **fork** of the [community add-on][community_addon]! > > Changes: +> - Make stateful-filtering configurable > - Release unreleased changes from community add-on: > - Update tailscale/tailscale to v1.66.3 > - Linux optimizations for subnet routers and exit nodes ([details](https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes)) diff --git a/tailscale/README.md b/tailscale/README.md index 95c1b0fd..75ea39eb 100644 --- a/tailscale/README.md +++ b/tailscale/README.md @@ -7,6 +7,7 @@ Zero config VPN for building secure networks. > This is a **fork** of the [community add-on][community_addon]! > > Changes: +> - Make stateful-filtering configurable > - Release unreleased changes from community add-on: > - Update tailscale/tailscale to v1.66.3 > - Linux optimizations for subnet routers and exit nodes ([details](https://tailscale.com/kb/1320/performance-best-practices#linux-optimizations-for-subnet-routers-and-exit-nodes)) From 04bd26d0ca30f4a352cc370cbeccdb01969eefd9 Mon Sep 17 00:00:00 2001 From: Laszlo Magyar Date: Thu, 16 May 2024 23:14:38 +0200 Subject: [PATCH 3/6] fix indentation --- tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run index a604e28d..84a9504e 100755 --- a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run +++ b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run @@ -160,15 +160,15 @@ fi # Notify about unusual site-to-site networking configuration if (! bashio::config.has_value "stateful_filtering" || \ - bashio::config.true "stateful_filtering") && \ - bashio::config.false "snat_subnet_routes"; + bashio::config.true "stateful_filtering") && \ + bashio::config.false "snat_subnet_routes"; then bashio::log.notice "When snat_subnet_routes is disabled, consider disabling stateful_filtering also." fi # Notify about userspace networking if ! bashio::config.has_value "userspace_networking" || \ - bashio::config.true "userspace_networking"; + bashio::config.true "userspace_networking"; then bashio::log.notice "The add-on uses userspace networking mode." bashio::log.notice "If you need to access other clients on your tailnet from your Home Assistant instance," From 8f4d280fb399d763f33deea06c58c3fdb67782c2 Mon Sep 17 00:00:00 2001 From: Laszlo Magyar Date: Thu, 16 May 2024 23:15:35 +0200 Subject: [PATCH 4/6] fix indentation in custom code --- .../rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run index 84a9504e..f5e0a281 100755 --- a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run +++ b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run @@ -151,11 +151,11 @@ fi # Warn about invalid certificate service configuration (can't be checked by the UI) if (bashio::config.has_value "lets_encrypt_certfile" && ! bashio::config.has_value "lets_encrypt_keyfile") || - (! bashio::config.has_value "lets_encrypt_certfile" && bashio::config.has_value "lets_encrypt_keyfile"); + (! bashio::config.has_value "lets_encrypt_certfile" && bashio::config.has_value "lets_encrypt_keyfile"); then - bashio::log.warning \ - "Both 'lets_encrypt' options ('lets_encrypt_certfile' and 'lets_encrypt_keyfile')" \ - "has to be specified or omitted together." + bashio::log.warning \ + "Both 'lets_encrypt' options ('lets_encrypt_certfile' and 'lets_encrypt_keyfile')" \ + "has to be specified or omitted together." fi # Notify about unusual site-to-site networking configuration From b6dba9763b974af8047056378ca1182977cdd364 Mon Sep 17 00:00:00 2001 From: Laszlo Magyar Date: Thu, 16 May 2024 23:31:43 +0200 Subject: [PATCH 5/6] remove note and notice about stateful-filtering and snat-subnet-routes correlation --- tailscale/DOCS.md | 6 ------ .../rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run | 8 -------- 2 files changed, 14 deletions(-) diff --git a/tailscale/DOCS.md b/tailscale/DOCS.md index 16ef0444..5768366c 100644 --- a/tailscale/DOCS.md +++ b/tailscale/DOCS.md @@ -359,9 +359,6 @@ steps 2 and 3 as described on [Site-to-site networking][tailscale_info_site_to_site]. But do it only when you really understand why you need this. -**Note:** If `snat_subnet_routes` is disabled, consider disabling -`stateful_filtering` also. - ### Option: `stateful_filtering` This option enables stateful packet filtering on packet-forwarding nodes (exit @@ -375,9 +372,6 @@ To support basic [Site-to-site networking][tailscale_info_site_to_site], you can disable this functionality, and execute steps 2 and 3 as described on [Site-to-site networking][tailscale_info_site_to_site]. -**Note:** If `snat_subnet_routes` is disabled, consider disabling -`stateful_filtering` also. - ### Option: `tags` This option allows you to specify specific ACL tags for this Tailscale diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run index f5e0a281..72ff513e 100755 --- a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run +++ b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run @@ -158,14 +158,6 @@ then "has to be specified or omitted together." fi -# Notify about unusual site-to-site networking configuration -if (! bashio::config.has_value "stateful_filtering" || \ - bashio::config.true "stateful_filtering") && \ - bashio::config.false "snat_subnet_routes"; -then - bashio::log.notice "When snat_subnet_routes is disabled, consider disabling stateful_filtering also." -fi - # Notify about userspace networking if ! bashio::config.has_value "userspace_networking" || \ bashio::config.true "userspace_networking"; From 53d7224c89b468a6f678fe31eefb74ecea345f8b Mon Sep 17 00:00:00 2001 From: Laszlo Magyar Date: Thu, 16 May 2024 23:44:33 +0200 Subject: [PATCH 6/6] bump version --- tailscale/CHANGELOG.md | 2 +- tailscale/config.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tailscale/CHANGELOG.md b/tailscale/CHANGELOG.md index 1f837fa5..e84ff8ab 100644 --- a/tailscale/CHANGELOG.md +++ b/tailscale/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## vNext (forked) +## 0.18.0.4 (forked) - Make stateful-filtering configurable diff --git a/tailscale/config.yaml b/tailscale/config.yaml index 7beeda5f..fb3a51b9 100644 --- a/tailscale/config.yaml +++ b/tailscale/config.yaml @@ -1,6 +1,6 @@ --- name: Tailscale with features -version: 0.18.0.3 +version: 0.18.0.4 slug: tailscale description: Zero config VPN for building secure networks url: https://github.com/lmagyar/homeassistant-addon-tailscale