mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-07 08:07:42 +00:00
f69003fd46
Specifically, this sequence: iptables -N ts-forward iptables -A ts-forward -m mark --mark 0x10000 -j ACCEPT iptables -A FORWARD -j ts-forward doesn't work on Debian-9-using-nftables, but this sequence: iptables -N ts-forward iptables -A FORWARD -j ts-forward iptables -A ts-forward -m mark --mark 0x10000 -j ACCEPT does work. I'm sure the reason why is totally fascinating, but it's an old version of iptables and the bug doesn't seem to exist on modern nftables, so let's refactor our code to add rules in the always-safe order and pretend this never happened. Fixes #401. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>