cmd/tailscale/cli: add a risk message about rp_filter

We already present a health warning about this, but it is easy to miss on a server when blackholing traffic makes it unreachable. In addition to a health warning, present a risk message when exit node is enabled. Example: ``` $ tailscale up --exit-node=lizard The following issues on your machine will likely make usage of exit nodes impossible: - interface "ens4" has strict reverse-path filtering enabled - interface "tailscale0" has strict reverse-path filtering enabled Please set rp_filter=2 instead of rp_filter=1; see https://github.com/tailscale/tailscale/issues/3310 To skip this warning, use --accept-risk=linux-strict-rp-filter $ ``` Updates #3310 Signed-off-by: Anton Tolchanov <anton@tailscale.com>
2025-08-14 15:07:55 +00:00 · 2025-05-22 20:12:59 +01:00
parent cc8dc9e4dc
commit db34cdcfe7
10 changed files with 143 additions and 71 deletions
--- a/cmd/k8s-operator/depaware.txt
+++ b/cmd/k8s-operator/depaware.txt
@@ -796,7 +796,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
        tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
        tailscale.com/feature                                        from tailscale.com/ipn/ipnext+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
-        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
+        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/hostinfo                                       from tailscale.com/client/web+
        tailscale.com/internal/client/tailscale                      from tailscale.com/cmd/k8s-operator
        tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
--- a/cmd/tailscale/cli/risks.go
+++ b/cmd/tailscale/cli/risks.go
@@ -4,15 +4,18 @@
 package cli

 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
 	"os"
 	"os/signal"
+	"runtime"
 	"strings"
 	"syscall"
 	"time"

+	"tailscale.com/ipn"
 	"tailscale.com/util/testenv"
 )

@@ -20,11 +23,12 @@ var (
 	riskTypes           []string
 	riskLoseSSH         = registerRiskType("lose-ssh")
 	riskMacAppConnector = registerRiskType("mac-app-connector")
+	riskStrictRPFilter  = registerRiskType("linux-strict-rp-filter")
 	riskAll             = registerRiskType("all")
 )

 const riskMacAppConnectorMessage = `
-You are trying to configure an app connector on macOS, which is not officially supported due to system limitations. This may result in performance and reliability issues. 
+You are trying to configure an app connector on macOS, which is not officially supported due to system limitations. This may result in performance and reliability issues.

 Do not use a macOS app connector for any mission-critical purposes. For the best experience, Linux is the only recommended platform for app connectors.
 `
@@ -89,3 +93,18 @@ func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
 	printf("\r%s\r", strings.Repeat(" ", msgLen))
 	return errAborted
 }
+
+// checkExitNodeRisk checks if the user is using an exit node on Linux and
+// whether reverse path filtering is enabled. If so, it presents a risk message.
+func checkExitNodeRisk(ctx context.Context, prefs *ipn.Prefs, acceptedRisks string) error {
+	if runtime.GOOS != "linux" {
+		return nil
+	}
+	if !prefs.ExitNodeIP.IsValid() && prefs.ExitNodeID == "" {
+		return nil
+	}
+	if err := localClient.CheckReversePathFiltering(ctx); err != nil {
+		return presentRiskToUser(riskStrictRPFilter, err.Error(), acceptedRisks)
+	}
+	return nil
+}
--- a/cmd/tailscale/cli/set.go
+++ b/cmd/tailscale/cli/set.go
@@ -183,6 +183,9 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 	}

 	warnOnAdvertiseRouts(ctx, &maskedPrefs.Prefs)
+	if err := checkExitNodeRisk(ctx, &maskedPrefs.Prefs, setArgs.acceptedRisks); err != nil {
+		return err
+	}
 	var advertiseExitNodeSet, advertiseRoutesSet bool
 	setFlagSet.Visit(func(f *flag.Flag) {
 		updateMaskedPrefsFromUpOrSetFlag(maskedPrefs, f.Name)
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -481,6 +481,9 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 	}

 	warnOnAdvertiseRouts(ctx, prefs)
+	if err := checkExitNodeRisk(ctx, prefs, upArgs.acceptedRisks); err != nil {
+		return err
+	}

 	curPrefs, err := localClient.GetPrefs(ctx)
 	if err != nil {
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -281,7 +281,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/feature/tpm                                    from tailscale.com/feature/condregister
        tailscale.com/feature/wakeonlan                              from tailscale.com/feature/condregister
        tailscale.com/health                                         from tailscale.com/control/controlclient+
-        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal
+        tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/hostinfo                                       from tailscale.com/client/web+
        tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
        tailscale.com/ipn                                            from tailscale.com/client/local+