various: disable stateful filtering by default (#12197)

After some analysis, stateful filtering is only necessary in tailnets that use `autogroup:danger-all` in `src` in ACLs. And in those cases users explicitly specify that hosts outside of the tailnet should be able to reach their nodes. To fix local DNS breakage in containers, we disable stateful filtering by default. Updates #12108 Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2024-05-20 11:44:29 -07:00
parent 6db1219185
commit c9179bc261
8 changed files with 159 additions and 246 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -4186,18 +4186,7 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs ipn.PrefsView, oneC
 	}

 	var doStatefulFiltering bool
-	if v, ok := prefs.NoStatefulFiltering().Get(); !ok {
-		// The stateful filtering preference isn't explicitly set; this is
-		// unexpected since we expect it to be set during the profile
-		// backfill, but to be safe let's enable stateful filtering
-		// absent further information.
-		doStatefulFiltering = true
-		b.logf("[unexpected] NoStatefulFiltering preference not set; enabling stateful filtering")
-	} else if v {
-		// The preferences explicitly say "no stateful filtering", so
-		// we don't do it.
-		doStatefulFiltering = false
-	} else {
+	if v, ok := prefs.NoStatefulFiltering().Get(); ok && !v {
 		// The preferences explicitly "do stateful filtering" is turned
 		// off, or to expand the double negative, to do stateful
 		// filtering. Do so.