wgengine, wgengine/router, cmd/tailscale: force netfilter mode off on Synology

For now. Get it working again so it's not stuck on 0.98.

Subnet relay can come later.

Updates #451

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

cmd/tailscale/cli/up.go

@@ -7,6 +7,7 @@ package cli
 import (
 	"bytes"
 	"context"
+	"errors"
 	"flag"
 	"fmt"
 	"log"
@@ -23,6 +24,7 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/version"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/router"
 )
 
@@ -63,14 +65,21 @@ specify any flags, options are reset to their default.
 			upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. 10.0.0.0/8,192.168.0.0/24)")
 		}
 		if runtime.GOOS == "linux" {
-			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with -advertise-routes")
+			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with --advertise-routes")
-			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", "on", "netfilter mode (one of on, nodivert, off)")
+			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", defaultNetfilterMode(), "netfilter mode (one of on, nodivert, off)")
 		}
 		return upf
 	})(),
 	Exec: runUp,
 }
 
+func defaultNetfilterMode() string {
+	if distro.Get() == distro.Synology {
+		return "off"
+	}
+	return "on"
+}
+
 var upArgs struct {
 	server          string
 	acceptRoutes    bool
@@ -151,6 +160,19 @@ func runUp(ctx context.Context, args []string) error {
 		log.Fatalf("too many non-flag arguments: %q", args)
 	}
 
+	if distro.Get() == distro.Synology {
+		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
+		if upArgs.advertiseRoutes != "" {
+			return errors.New("--advertise-routes is " + notSupported)
+		}
+		if upArgs.acceptRoutes {
+			return errors.New("--accept-routes is " + notSupported)
+		}
+		if upArgs.netfilterMode != "off" {
+			return errors.New("--netfilter-mode values besides \"off\" " + notSupported)
+		}
+	}
+
 	var routes []wgcfg.CIDR
 	if upArgs.advertiseRoutes != "" {
 		advroutes := strings.Split(upArgs.advertiseRoutes, ",")

cmd/tailscale/depaware.txt

@@ -75,6 +75,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
         tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
         tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/wgengine                                       from tailscale.com/ipn
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
         tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine

cmd/tailscaled/depaware.txt

@@ -81,6 +81,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
         tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
         tailscale.com/version                                        from tailscale.com/control/controlclient+
+        tailscale.com/version/distro                                 from tailscale.com/wgengine+
         tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
         tailscale.com/wgengine/magicsock                             from tailscale.com/cmd/tailscaled+

version/distro/distro.go

@@ -0,0 +1,40 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package distro reports which distro we're running on.
+package distro
+
+import (
+	"os"
+	"runtime"
+)
+
+type Distro string
+
+const (
+	Debian   = Distro("debian")
+	Arch     = Distro("arch")
+	Synology = Distro("synology")
+)
+
+// Get returns the current distro, or the empty string if unknown.
+func Get() Distro {
+	if runtime.GOOS == "linux" {
+		return linuxDistro()
+	}
+	return ""
+}
+
+func linuxDistro() Distro {
+	if fi, err := os.Stat("/usr/syno"); err == nil && fi.IsDir() {
+		return Synology
+	}
+	if _, err := os.Stat("/etc/debian_version"); err == nil {
+		return Debian
+	}
+	if _, err := os.Stat("/etc/arch-release"); err == nil {
+		return Arch
+	}
+	return ""
+}

wgengine/router/router_linux.go

@@ -15,6 +15,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/router/dns"
 )
 
@@ -210,6 +211,9 @@ func (r *linuxRouter) Set(cfg *Config) error {
 // reflect the new mode, and r.snatSubnetRoutes is updated to reflect
 // the current state of subnet SNATing.
 func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
+	if distro.Get() == distro.Synology {
+		mode = NetfilterOff
+	}
 	if r.netfilterMode == mode {
 		return nil
 	}

wgengine/userspace.go

@@ -37,6 +37,7 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/magicsock"
 	"tailscale.com/wgengine/monitor"
@@ -1244,9 +1245,8 @@ func diagnoseLinuxTUNFailure(logf logger.Logf) {
 	}
 	logf("is CONFIG_TUN enabled in your kernel? `modprobe tun` failed with: %s", modprobeOut)
 
-	distro := linuxDistro()
+	switch distro.Get() {
-	switch distro {
+	case distro.Debian:
-	case "debian":
 		dpkgOut, err := exec.Command("dpkg", "-S", "kernel/drivers/net/tun.ko").CombinedOutput()
 		if len(bytes.TrimSpace(dpkgOut)) == 0 || err != nil {
 			logf("tun module not loaded nor found on disk")
@@ -1255,7 +1255,7 @@ func diagnoseLinuxTUNFailure(logf logger.Logf) {
 		if !bytes.Contains(dpkgOut, kernel) {
 			logf("kernel/drivers/net/tun.ko found on disk, but not for current kernel; are you in middle of a system update and haven't rebooted? found: %s", dpkgOut)
 		}
-	case "arch":
+	case distro.Arch:
 		findOut, err := exec.Command("find", "/lib/modules/", "-path", "*/net/tun.ko*").CombinedOutput()
 		if len(bytes.TrimSpace(findOut)) == 0 || err != nil {
 			logf("tun module not loaded nor found on disk")
@@ -1266,13 +1266,3 @@ func diagnoseLinuxTUNFailure(logf logger.Logf) {
 		}
 	}
 }
-
-func linuxDistro() string {
-	if _, err := os.Stat("/etc/debian_version"); err == nil {
-		return "debian"
-	}
-	if _, err := os.Stat("/etc/arch-release"); err == nil {
-		return "arch"
-	}
-	return ""
-}