CodeCow/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2026-06-03 21:01:54 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
384b7fb561
tailscale/wgengine
History
Mike O'Driscoll 33342aec32
The connmark save/restore rules in mangle/PREROUTING restore the Tailscale bypass fwmark (0x80000) onto reply packets so that rp_filter's reverse-path check routes through the main table instead of table 52. However, the kernel only uses the packet's fwmark during the rp_filter lookup when net.ipv4.conf.all.src_valid_mark=1. (#19537) 
On systems where this sysctl defaults to 0 (including GCP VMs), rp_filter performs its lookup with fwmark=0, hits rule 5270 then table 52 and routes to 0.0.0.0/0 dev tailscale0, and drops every reply packet arriving on the physical interface as a martian. This breaks all connectivity when using an exit node: DERP, DNS, control plane, and even the cloud metadata service.

Set src_valid_mark=1 when enabling the connmark rules so the rp_filter workaround actually works in these cases.

Updates #3310
Updates tailscale/corp#37846

Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
2026-04-27 13:52:45 -04:00
..
bench all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
filter all: use Go 1.26 things, run most gofix modernizers 2026-03-06 13:32:03 -08:00
magicsock wgengine/magicsock: do not send TSMP disco when connected (#19497) 2026-04-23 12:23:57 -04:00
netlog all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
netstack wgengine/netstack: absorb all quad-100 traffic locally, never leak to peers 2026-04-24 12:42:16 -07:00
router The connmark save/restore rules in mangle/PREROUTING restore the Tailscale bypass fwmark (0x80000) onto reply packets so that rp_filter's reverse-path check routes through the main table instead of table 52. However, the kernel only uses the packet's fwmark during the rp_filter lookup when net.ipv4.conf.all.src_valid_mark=1. (#19537) 2026-04-27 13:52:45 -04:00
wgcfg cmd/vet: add subtestnames analyzer; fix all existing violations 2026-04-05 15:52:51 -07:00
wgint all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
wglog all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
winnet all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
mem_ios.go all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
pendopen_omit.go all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
pendopen.go all: use bart.Lite instead of bart.Table where appropriate 2026-03-24 14:45:23 +00:00
userspace_ext_test.go all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
userspace_test.go wgengine: replace reflect.DeepEqual with typed Equal for maybeReconfigInputs (#19365) 2026-04-14 13:16:21 -04:00
userspace.go wgengine: replace reflect.DeepEqual with typed Equal for maybeReconfigInputs (#19365) 2026-04-14 13:16:21 -04:00
watchdog_omit.go all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00
watchdog_test.go cmd/vet: add subtestnames analyzer; fix all existing violations 2026-04-05 15:52:51 -07:00
watchdog.go control/controlclient,ipn/ipnlocal,wgengine: avoid restarting wireguard when key is learned via tsmp (#19142) 2026-03-30 14:26:08 -04:00
wgengine.go all: remove AUTHORS file and references to it 2026-01-23 15:49:45 -08:00