diff --git a/tailscale/DOCS.md b/tailscale/DOCS.md index 518af257..7bfc3233 100644 --- a/tailscale/DOCS.md +++ b/tailscale/DOCS.md @@ -75,6 +75,7 @@ login_server: "https://controlplane.tailscale.com" proxy: false proxy_and_funnel_port: 443 snat_subnet_routes: true +stateful_filtering: true tags: - tag:example - tag:homeassistant @@ -279,8 +280,23 @@ router, and this simplifies routing configuration. When not set, this option is enabled by default. To support advanced [Site-to-site networking][tailscale_info_site_to_site] (eg. -to traverse multiple networks), you can disable this functionality. But do it -only when you really understand why you need this. +to traverse multiple networks), you can disable this functionality, and execute +steps 2 and 3 as described on [Site-to-site +networking][tailscale_info_site_to_site]. But do it only when you really +understand why you need this. + +### Option: `stateful_filtering` + +This option enables stateful packet filtering on packet-forwarding nodes (exit +nodes, subnet routers, and app connectors), to only allow return packets for +existing outbound connections. Inbound packets that don't belong to an existing +connection are dropped. + +When not set, this option is enabled by default. + +To support basic [Site-to-site networking][tailscale_info_site_to_site], you can +disable this functionality, and execute steps 2 and 3 as described on +[Site-to-site networking][tailscale_info_site_to_site]. ### Option: `tags` @@ -312,8 +328,8 @@ instance, disable userspace networking mode, which will create a `tailscale0` network interface on your host. If you want to access other clients on your tailnet even from your local subnet, -execute steps 2 and 3 as described on [Site-to-site -networking][tailscale_info_site_to_site]. +disable `stateful_filtering` and execute steps 2 and 3 as described on +[Site-to-site networking][tailscale_info_site_to_site]. In case your local subnets collide with subnet routes within your tailnet, your local network access has priority, and these addresses won't be routed toward diff --git a/tailscale/config.yaml b/tailscale/config.yaml index 7b1eb35b..484ef7a6 100644 --- a/tailscale/config.yaml +++ b/tailscale/config.yaml @@ -38,6 +38,7 @@ schema: proxy: bool? proxy_and_funnel_port: match(^(443|8443|10000)$)? snat_subnet_routes: bool? + stateful_filtering: bool? tags: - "match(^tag:[a-zA-Z][a-zA-Z0-9-]*$)?" taildrop: bool? diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run index 32e165a9..ca9564b1 100755 --- a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run +++ b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run @@ -64,6 +64,15 @@ then options+=(--login-server="${login_server}") fi +# Support basic site-to-site networking, disable stateful filtering +if ! bashio::config.has_value "stateful_filtering" || \ + bashio::config.true "stateful_filtering"; +then + options+=(--stateful-filtering) +else + options+=(--stateful-filtering=false) +fi + # Support advanced site-to-site networking, disable source addresses NAT if ! bashio::config.has_value "snat_subnet_routes" || \ bashio::config.true "snat_subnet_routes"; diff --git a/tailscale/translations/en.yaml b/tailscale/translations/en.yaml index f231cc6e..7c9ea49a 100644 --- a/tailscale/translations/en.yaml +++ b/tailscale/translations/en.yaml @@ -72,6 +72,14 @@ configuration: To support advanced Site-to-site networking (eg. to traverse multiple networks), you can disable this functionality. When not set, this option is enabled by default. + stateful_filtering: + name: Stateful packet filtering + description: >- + This option enables stateful packet filtering on packet-forwarding nodes (exit + nodes, subnet routers, and app connectors), to only allow return packets for + existing outbound connections. + To support basic Site-to-site networking, you can disable this functionality. + When not set, this option is enabled by default. tags: name: Tags description: >-