webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

util/linuxfw,wgengine/router: allow incoming CGNAT range traffic with nodeattr

Browse Source 
Clients with the newly added node attribute
`"disable-linux-cgnat-drop-rule"` will not automatically drop inbound
traffic on non-Tailscale network interfaces with the source IP in the
CGNAT IP range. This is an initial proof-of-concept for enabling
connectivity with off-Tailnet CGNAT endpoints.

Fixes tailscale/corp#36270.

Signed-off-by: Naman Sood <mail@nsood.in>
This commit is contained in:
Naman Sood
2026-04-14 16:45:06 -04:00
committed by GitHub
parent 5834058269
commit 6301a6ce4b
14 changed files with 527 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files
util/linuxfw/linuxfw.go
+7
View File
@@ -53,6 +53,13 @@ const (
FirewallModeNfTables FirewallMode = "nftables"
)
type CGNATMode string
const (
CGNATModeDrop CGNATMode = "DROP"
CGNATModeReturn CGNATMode = "RETURN"
)
// The following bits are added to packet marks for Tailscale use.
//
// We tried to pick bits sufficiently out of the way that it's