Patch Tailscale for nftables fwmark endianness issue#1
Open
admonstrator wants to merge 5 commits intoGLiNet-Community-Scripts:mainfrom
Open
Patch Tailscale for nftables fwmark endianness issue#1admonstrator wants to merge 5 commits intoGLiNet-Community-Scripts:mainfrom
admonstrator wants to merge 5 commits intoGLiNet-Community-Scripts:mainfrom
Conversation
- Add patches/0001-fix-nftables-fwmark-endianness.patch. - Keep upstream build logic unchanged; minimally add checkout for this repo and apply patch before go mod download/cross-compile. Refs: tailscale/tailscale#11803 Refs: tailscale/tailscale#19601 Signed-off-by: Dongming Han <handongming@gl-inet.com>
…1) (#82) ## Problem On **little-endian** hosts (arm64, amd64), Tailscale’s **nftables** netfilter backend built fwmark **mask/value** bytes for `meta mark` / `Bitwise` expressions using the **wrong byte order**. Rules that should match **`0x40000 / 0xff0000`** (third byte) instead behaved like **`0x00000400 / 0x0000ff00`** — i.e. the mask effectively hits the **wrong 8-bit lane**. That collides with **policy-routing marks in the `0x8000 / 0xf000` nibble** (e.g. OpenWrt **fw4 / `vpn_table`** style marks on GL.iNet firmware). **Tailscale’s `0x80000/0xff0000` and GL’s `0x8000/0xf000` are meant to be non-overlapping in `ip rule`**, but the nft bug shifts the bitfield so they **fight the same mark bits**. Typical symptom: **first packet of a flow passes, later packets break** (e.g. LAN ping gets one reply then silence) once **connmark save/restore** paths run on **ESTABLISHED** traffic — consistent with [tailscale#11803](tailscale/tailscale#11803). Workaround users may try: `tailscale set --netfilter-mode=off` (trade off Tailscale’s netfilter integration). Proper fix: **`encoding/binary.NativeEndian`** in `util/linuxfw` — same direction as [tailscale#19601](tailscale/tailscale#19601). ## This PR - Adds `patches/0001-fix-nftables-fwmark-endianness.patch` (from the #11803 / #19601 fix). - In `build-tailscale.yaml`, after checking out `tailscale/tailscale`, checks out this repo under `repo/` and runs `patch -p1 < repo/patches/0001-...` **before** `go mod download` / cross-compile. **No change** to feature tags, UPX publishing, or release flow — only the Tailscale sources are patched before build. ## When to drop this Remove the patch + checkout/apply steps after **#19601** is merged **and** the Tailscale release you build already contains the fix.
Author
|
@copilot resolve the merge conflicts in this pull request, discard build-tailscale.yaml - not needed in this repo. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces a patch to address nftables fwmark endianness issues on GL.iNet routers, updates the build workflow to apply this patch, and makes minor documentation improvements. The patch ensures that nftables rules use the correct byte order for fwmark masks, preventing routing issues on little-endian systems. Special thanks are added for the contributor of the patch.
The most important changes are:
nftables fwmark endianness patch:
patches/0001-fix-nftables-fwmark-endianness.patchto fix nftables fwmark mask byte order, ensuring it is native-endian for correct operation on all architectures. This patch modifies how fwmark masks are generated and updates test cases accordingly..github/workflows/build-tailscale.yamlto check out the patch repository and apply the fwmark endianness patch during the build process.Documentation updates:
readme.mdandreadme.template.mdfor Dongming Han (GL.iNet) for implementing the fwmark patch. [1] [2]readme.md. [1] [2]