wgengine/router/osrouter: skip netfilter add-ons when chain setup fails (#19761) - tailscale - The easiest, most secure way to use WireGuard and 2FA

diff options

author	Fernando Serboncini <fserb@tailscale.com>	2026-05-15 09:34:44 -0400
committer	GitHub <noreply@github.com>	2026-05-15 09:34:44 -0400
commit	666f0d28208a60c96fa2ac2a0be848b591abb70b (patch)
tree	80f725cff4139e16401856061b3c4214739f0d79 /control/controlhttp/controlhttpserver/controlhttpserver.go
parent	34c530668cb05fa60b3d707a44b70460344789ef (diff)
download	tailscale-666f0d28208a60c96fa2ac2a0be848b591abb70b.tar.xz tailscale-666f0d28208a60c96fa2ac2a0be848b591abb70b.zip

wgengine/router/osrouter: skip netfilter add-ons when chain setup fails (#19761)

linuxRouter has two blocks (connmark rules and the CGNAT drop rule) that gate on cfg.NetfilterMode, the requested config state. This may cause an error when setNetfilterModeLocked fails, since it may keep assuming this config is valid. We now gate both blocks on r.netfilterMode, matching the pattern used by SNAT, stateful, and loopback paths. Fixes #19737 Change-Id: Ia6003a082db99c376e662132d725661afbac0ee9 (cherry picked from commit 20b814893b2dbf42793fe18e6dfff4413d0c4ee2) Signed-off-by: Fernando Serboncini <fserb@tailscale.com>

Diffstat (limited to 'control/controlhttp/controlhttpserver/controlhttpserver.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: