wgengine/router/osrouter: skip netfilter add-ons when chain setup fails (#19757)

linuxRouter has two blocks (connmark rules and the CGNAT drop rule) that
gate on cfg.NetfilterMode, the requested config state. This may cause an
error when setNetfilterModeLocked fails, since it may keep assuming this
config is valid.

We now gate both blocks on r.netfilterMode, matching the pattern used by
SNAT, stateful, and loopback paths.

Fixes #19737

Change-Id: Ia6003a082db99c376e662132d725661afbac0ee9

Signed-off-by: Fernando Serboncini <fserb@tailscale.com>
This commit is contained in:
Fernando Serboncini
2026-05-15 09:32:30 -04:00
committed by GitHub
parent 1d3562b314
commit c355618e73
2 changed files with 64 additions and 3 deletions
+5 -3
View File
@@ -490,7 +490,9 @@ func (r *linuxRouter) Set(cfg *router.Config) error {
// Connmark rules for rp_filter compatibility.
// Always enabled when netfilter is ON to handle all rp_filter=1 scenarios
// (normal operation, exit nodes, subnet routers, and clients using exit nodes).
netfilterOn := cfg.NetfilterMode == netfilterOn
// Gate on r.netfilterMode (actual state) rather than cfg.NetfilterMode
// (desired state) so we don't call into the runner when chain setup failed.
netfilterOn := r.netfilterMode == netfilterOn
switch {
case netfilterOn == r.connmarkEnabled:
// state already correct, nothing to do.
@@ -530,8 +532,8 @@ func (r *linuxRouter) Set(cfg *router.Config) error {
r.enableIPForwarding()
}
// Remove the rule to drop off-tailnet CGNAT traffic, if asked.
if netfilterOn || cfg.NetfilterMode == netfilterNoDivert {
// Remove the rule to drop off-tailnet CGNAT traffic, if needed.
if netfilterOn || r.netfilterMode == netfilterNoDivert {
var cgnatMode linuxfw.CGNATMode
if cfg.RemoveCGNATDropRule {
cgnatMode = linuxfw.CGNATModeReturn