Merge pull request #170851 from danderson/danderson/ts-warn-rpf
nixos/tailscale: warn if strict reverse path filtering is in use.
This commit is contained in:
commit
d21ebc62bf
@ -2,7 +2,11 @@
|
||||
|
||||
with lib;
|
||||
|
||||
let cfg = config.services.tailscale;
|
||||
let
|
||||
cfg = config.services.tailscale;
|
||||
firewallOn = config.networking.firewall.enable;
|
||||
rpfMode = config.networking.firewall.checkReversePath;
|
||||
rpfIsStrict = rpfMode == true || rpfMode == "strict";
|
||||
in {
|
||||
meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ];
|
||||
|
||||
@ -36,6 +40,7 @@ in {
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'";
|
||||
environment.systemPackages = [ cfg.package ]; # for the CLI
|
||||
systemd.packages = [ cfg.package ];
|
||||
systemd.services.tailscaled = {
|
||||
|
Loading…
Reference in New Issue
Block a user