webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ipn/ipnlocal: warn incompatibility between no-snat-routes and exitnode (#19023)

Browse Source 
* ipn/ipnlocal: warn incompatibility between no-snat-routes and exitnode

This commit adds a warning to health check when the --snat-subnet-routes=false flag for subnet router is
set alone side --advertise-exit-node=true. These two would conflict with each other and result internet-bound
traffic from peers using this exit node no masqueraded to the node's source IP and fail to route return
packets back. The described combination is not valid until we figure out a way to separate exitnode masquerade rule and skip it for subnet routes.

Updates #18725

Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>

* use date instead of for now to clarify effectivness

Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>

---------

Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
This commit is contained in:
KevinLiang10
2026-03-26 12:36:31 -04:00
committed by GitHub
parent b4519e97c3
commit 45f989f52a
4 changed files with 107 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cmd/tailscale/cli/set.go
+5
View File
@@ -265,6 +265,11 @@ func runSet(ctx context.Context, args []string) (retErr error) {
checkPrefs := curPrefs.Clone()
checkPrefs.ApplyEdits(maskedPrefs)
// We want to make sure user is aware setting --snat-subnet-routes=false with --advertise-exit-node would break exitnode,
// but we won't prevent them from doing it since there are current dependencies on that combination. (as of 2026-03-25)
if checkPrefs.NoSNAT && checkPrefs.AdvertisesExitNode() {
warnf("--snat-subnet-routes=false is set with --advertise-exit-node; internet traffic through this exit node may not work as expected")
}
if err := localClient.CheckPrefs(ctx, checkPrefs); err != nil {
return err
}
cmd/tailscale/cli/up.go
+5
View File
@@ -357,6 +357,11 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
if goos == "linux" {
prefs.NoSNAT = !upArgs.snat
// We want to make sure user is aware setting --snat-subnet-routes=false with --advertise-exit-node would break exitnode,
// but we won't prevent them from doing it since there are current dependencies on that combination. (as of 2026-03-25)
if prefs.NoSNAT && prefs.AdvertisesExitNode() {
warnf("--snat-subnet-routes=false is set with --advertise-exit-node; internet traffic through this exit node may not work as expected")
}
// Backfills for NoStatefulFiltering occur when loading a profile; just set it explicitly here.
prefs.NoStatefulFiltering.Set(!upArgs.statefulFiltering)