Make stateful filtering configurable (#357)

tailscale/DOCS.md

@@ -75,6 +75,7 @@ login_server: "https://controlplane.tailscale.com"
 proxy: false
 proxy_and_funnel_port: 443
 snat_subnet_routes: true
+stateful_filtering: true
 tags:
   - tag:example
   - tag:homeassistant
@@ -279,8 +280,23 @@ router, and this simplifies routing configuration.
 When not set, this option is enabled by default.
 
 To support advanced [Site-to-site networking][tailscale_info_site_to_site] (eg.
-to traverse multiple networks), you can disable this functionality. But do it
-only when you really understand why you need this.
+to traverse multiple networks), you can disable this functionality, and execute
+steps 2 and 3 as described on [Site-to-site
+networking][tailscale_info_site_to_site]. But do it only when you really
+understand why you need this.
+
+### Option: `stateful_filtering`
+
+This option enables stateful packet filtering on packet-forwarding nodes (exit
+nodes, subnet routers, and app connectors), to only allow return packets for
+existing outbound connections. Inbound packets that don't belong to an existing
+connection are dropped.
+
+When not set, this option is enabled by default.
+
+To support basic [Site-to-site networking][tailscale_info_site_to_site], you can
+disable this functionality, and execute steps 2 and 3 as described on
+[Site-to-site networking][tailscale_info_site_to_site].
 
 ### Option: `tags`
 
@@ -312,8 +328,8 @@ instance, disable userspace networking mode, which will create a `tailscale0`
 network interface on your host.
 
 If you want to access other clients on your tailnet even from your local subnet,
-execute steps 2 and 3 as described on [Site-to-site
-networking][tailscale_info_site_to_site].
+disable `stateful_filtering` and execute steps 2 and 3 as described on
+[Site-to-site networking][tailscale_info_site_to_site].
 
 In case your local subnets collide with subnet routes within your tailnet, your
 local network access has priority, and these addresses won't be routed toward

tailscale/config.yaml

@@ -38,6 +38,7 @@ schema:
   proxy: bool?
   proxy_and_funnel_port: match(^(443|8443|10000)$)?
   snat_subnet_routes: bool?
+  stateful_filtering: bool?
   tags:
     - "match(^tag:[a-zA-Z][a-zA-Z0-9-]*$)?"
   taildrop: bool?

tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run

@@ -64,6 +64,15 @@ then
   options+=(--login-server="${login_server}")
 fi
 
+# Support basic site-to-site networking, disable stateful filtering
+if ! bashio::config.has_value "stateful_filtering" || \
+  bashio::config.true "stateful_filtering";
+then
+  options+=(--stateful-filtering)
+else
+  options+=(--stateful-filtering=false)
+fi
+
 # Support advanced site-to-site networking, disable source addresses NAT
 if ! bashio::config.has_value "snat_subnet_routes" || \
   bashio::config.true "snat_subnet_routes";

tailscale/translations/en.yaml

@@ -72,6 +72,14 @@ configuration:
       To support advanced Site-to-site networking (eg. to traverse multiple
       networks), you can disable this functionality.
       When not set, this option is enabled by default.
+  stateful_filtering:
+    name: Stateful packet filtering
+    description: >-
+      This option enables stateful packet filtering on packet-forwarding nodes (exit
+      nodes, subnet routers, and app connectors), to only allow return packets for
+      existing outbound connections.
+      To support basic Site-to-site networking, you can disable this functionality.
+      When not set, this option is enabled by default.
   tags:
     name: Tags
     description: >-