Tailscale “Legacy rules detected” issue

Sid · November 6, 2024, 11:35pm

Hello guys,

I have installed Tailscale on my Nanopi using the static binaries they provide, also made sure to set its firewall mode to nftables.

It does create nftables rules as confirmed by running nft list ruleset these rules appear

chain ts-forward {
                iifname "tailscale0*" counter packets 0 bytes 0 meta mark set meta mark & 0xffff04ff | 0x00000400
                meta mark & 0x0000ff00 == 0x00000400 counter packets 0 bytes 0 accept
                oifname "tailscale0*" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
                oifname "tailscale0*" counter packets 0 bytes 0 accept
        }

        chain ts-input {
                iifname "lo*" ip saddr 100.68.254.23 counter packets 0 bytes 0 accept
                iifname != "tailscale0*" ip saddr 100.115.92.0/23 counter packets 0 bytes 0 return
                iifname != "tailscale0*" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
                iifname "tailscale0*" counter packets 0 bytes 0 accept
                udp dport 41641 counter packets 54 bytes 3240 accept
        }
}
table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 47 bytes 4292 jump ts-postrouting
        }

        chain ts-postrouting {
                meta mark & 0x0000ff00 == 0x00000400 counter packets 0 bytes 0 masquerade
        }
}
table ip6 filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 14 bytes 6748 jump ts-forward
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                counter packets 79 bytes 8086 jump ts-input
        }

        chain ts-forward {
                iifname "tailscale0*" counter packets 0 bytes 0 meta mark set meta mark & 0xffff04ff | 0x00000400
                meta mark & 0x0000ff00 == 0x00000400 counter packets 0 bytes 0 accept
                oifname "tailscale0*" counter packets 0 bytes 0 accept
        }

        chain ts-input {
                iifname "lo*" ip6 saddr fd7a:115c:a1e0::b001:fe19 counter packets 0 bytes 0 accept
                iifname "tailscale0*" counter packets 0 bytes 0 accept
                udp dport 41641 counter packets 58 bytes 5336 accept
        }
}
table ip6 nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 36 bytes 4360 jump ts-postrouting
        }

        chain ts-postrouting {
                meta mark & 0x0000ff00 == 0x00000400 counter packets 0 bytes 0 masquerade
        }
}

Even after doing this I’m seeing a warning message in Luci-> Status -> Firewall about “Legacy rules detected, mixing nftables and iptables is discouraged”

I’ve confirmed that these iptables rules are indeed created by tailscale. I have no idea why it’s still creating iptables rules.

I have iptables-nft and ip6tables-nft installed. And no *-zz-legacy packages installed.

Any help is appreciated.

brada4 · November 6, 2024, 11:49pm

Can you add full nft list ruleset complete (chop final ends of IP addresses)
And output of:

ubus call system board
opkg list-installed tailscale

You dont need iptables-legacy to add legacy rules, xt bridge can do it for you.

Sid · November 7, 2024, 12:10am

Yes sure

nft list ruleset
table inet fw4 {
        chain input {
                type filter hook input priority filter; policy drop;
                iifname "lo" accept comment "!fw4: Accept traffic from loopback"
                ct state established,related accept comment "!fw4: Allow inbound established and related flows"
                tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
                iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
                iifname "eth0" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
                iifname "wg0" jump input_wg0 comment "!fw4: Handle wg0 IPv4/IPv6 input traffic"
                iifname "tailscale0" jump input_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 input traffic"
                iifname "awg0" jump input_awg0 comment "!fw4: Handle awg0 IPv4/IPv6 input traffic"
                jump handle_reject
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
                iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
                iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
                iifname "wg0" jump forward_wg0 comment "!fw4: Handle wg0 IPv4/IPv6 forward traffic"
                iifname "tailscale0" jump forward_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 forward traffic"
                iifname "awg0" jump forward_awg0 comment "!fw4: Handle awg0 IPv4/IPv6 forward traffic"
                jump handle_reject
        }

        chain output {
                type filter hook output priority filter; policy accept;
                oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
                ct state established,related accept comment "!fw4: Allow outbound established and related flows"
                oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
                oifname "eth0" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
                oifname "wg0" jump output_wg0 comment "!fw4: Handle wg0 IPv4/IPv6 output traffic"
                oifname "tailscale0" jump output_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 output traffic"
                oifname "awg0" jump output_awg0 comment "!fw4: Handle awg0 IPv4/IPv6 output traffic"
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
        }

        chain handle_reject {
                meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
                reject comment "!fw4: Reject any other traffic"
        }

        chain syn_flood {
                limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
                drop comment "!fw4: Drop excess packets"
        }

        chain input_lan {
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump accept_from_lan
        }

        chain output_lan {
                jump accept_to_lan
        }

        chain forward_lan {
                jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
                jump accept_to_wg0 comment "!fw4: Accept lan to wg0 forwarding"
                jump accept_to_tailscale comment "!fw4: Accept lan to tailscale forwarding"
                jump accept_to_awg0 comment "!fw4: Accept lan to awg0 forwarding"
                ct status dnat accept comment "!fw4: Accept port forwards"
                jump accept_to_lan
        }

        chain helper_lan {
        }

        chain accept_from_lan {
                iifname "br-lan" counter packets 1275 bytes 90732 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain accept_to_lan {
                oifname "br-lan" counter packets 523 bytes 41888 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
        }

        chain input_wan {
                meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
                icmp type echo-request counter packets 0 bytes 0 accept comment "!fw4: Allow-Ping"
                meta nfproto ipv4 meta l4proto igmp counter packets 371 bytes 13356 accept comment "!fw4: Allow-IGMP"
                meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 371 bytes 28196 accept comment "!fw4: Allow-MLD"
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 117 bytes 14976 accept comment "!fw4: Allow-ICMPv6-Input"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 22 bytes 1552 accept comment "!fw4: Allow-ICMPv6-Input"
                udp dport 51820 counter packets 3 bytes 588 accept comment "!fw4: Allow-Wireguard"
                meta nfproto ipv6 udp dport 51821 counter packets 0 bytes 0 accept comment "!fw4: Allow-AmneziaWG"
                jump reject_from_wan
        }

        chain output_wan {
                jump accept_to_wan
        }

        chain forward_wan {
                icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
                meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
                udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
                jump reject_to_wan
        }

        chain accept_to_wan {
                meta nfproto ipv4 oifname "eth0" ct state invalid counter packets 21 bytes 2355 drop comment "!fw4: Prevent NAT leakage"
                oifname "eth0" counter packets 1772 bytes 486986 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
        }

        chain reject_from_wan {
                iifname "eth0" counter packets 85 bytes 5014 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain reject_to_wan {
                oifname "eth0" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
        }

        chain input_wg0 {
                jump accept_from_wg0
        }

        chain output_wg0 {
                jump accept_to_wg0
        }

        chain forward_wg0 {
                jump accept_to_lan comment "!fw4: Accept wg0 to lan forwarding"
                jump accept_to_wan comment "!fw4: Accept wg0 to wan forwarding"
                jump accept_to_wg0
        }

        chain accept_from_wg0 {
                iifname "wg0" counter packets 767 bytes 53102 accept comment "!fw4: accept wg0 IPv4/IPv6 traffic"
        }

        chain accept_to_wg0 {
                meta nfproto ipv4 oifname "wg0" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
                oifname "wg0" counter packets 0 bytes 0 accept comment "!fw4: accept wg0 IPv4/IPv6 traffic"
        }

        chain input_tailscale {
                jump accept_from_tailscale
        }

        chain output_tailscale {
                jump accept_to_tailscale
        }

        chain forward_tailscale {
                jump accept_to_lan comment "!fw4: Accept tailscale to lan forwarding"
                jump accept_to_wan comment "!fw4: Accept tailscale to wan forwarding"
                jump accept_to_tailscale
        }

        chain accept_from_tailscale {
                iifname "tailscale0" counter packets 0 bytes 0 accept comment "!fw4: accept tailscale IPv4/IPv6 traffic"
        }

        chain accept_to_tailscale {
                meta nfproto ipv4 oifname "tailscale0" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
                oifname "tailscale0" counter packets 4 bytes 304 accept comment "!fw4: accept tailscale IPv4/IPv6 traffic"
        }

        chain input_awg0 {
                jump accept_from_awg0
        }

        chain output_awg0 {
                jump accept_to_awg0
        }

        chain forward_awg0 {
                jump accept_to_lan comment "!fw4: Accept awg0 to lan forwarding"
                jump accept_to_wan comment "!fw4: Accept awg0 to wan forwarding"
                jump accept_to_awg0
        }

        chain accept_from_awg0 {
                iifname "awg0" counter packets 0 bytes 0 accept comment "!fw4: accept awg0 IPv4/IPv6 traffic"
        }

        chain accept_to_awg0 {
                meta nfproto ipv4 oifname "awg0" ct state invalid counter packets 0 bytes 0 drop comment "!fw4: Prevent NAT leakage"
                oifname "awg0" counter packets 0 bytes 0 accept comment "!fw4: accept awg0 IPv4/IPv6 traffic"
        }

        chain dstnat {
                type nat hook prerouting priority dstnat; policy accept;
                iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
        }

        chain srcnat {
                type nat hook postrouting priority srcnat; policy accept;
                oifname "eth0" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
                oifname "wg0" jump srcnat_wg0 comment "!fw4: Handle wg0 IPv4/IPv6 srcnat traffic"
                oifname "tailscale0" jump srcnat_tailscale comment "!fw4: Handle tailscale IPv4/IPv6 srcnat traffic"
                oifname "awg0" jump srcnat_awg0 comment "!fw4: Handle awg0 IPv4/IPv6 srcnat traffic"
        }

        chain dstnat_lan {
                tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: Intercept-DNSv4"
                udp dport 53 counter packets 36 bytes 2458 redirect to :53 comment "!fw4: Intercept-DNSv4"
        }

        chain srcnat_wan {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
        }

        chain srcnat_wg0 {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wg0 traffic"
        }

        chain srcnat_tailscale {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 tailscale traffic"
        }

        chain srcnat_awg0 {
                meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 awg0 traffic"
        }

        chain raw_prerouting {
                type filter hook prerouting priority raw; policy accept;
        }

        chain raw_output {
                type filter hook output priority raw; policy accept;
        }

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
        }

        chain mangle_postrouting {
                type filter hook postrouting priority mangle; policy accept;
        }

        chain mangle_input {
                type filter hook input priority mangle; policy accept;
        }

        chain mangle_output {
                type route hook output priority mangle; policy accept;
        }

        chain mangle_forward {
                type filter hook forward priority mangle; policy accept;
                iifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
                oifname "eth0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
                iifname "wg0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wg0 IPv4/IPv6 ingress MTU fixing"
                oifname "wg0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wg0 IPv4/IPv6 egress MTU fixing"
                iifname "tailscale0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone tailscale IPv4/IPv6 ingress MTU fixing"
                oifname "tailscale0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone tailscale IPv4/IPv6 egress MTU fixing"
                iifname "awg0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone awg0 IPv4/IPv6 ingress MTU fixing"
                oifname "awg0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone awg0 IPv4/IPv6 egress MTU fixing"
        }
}
table inet zapret {
        set zapret {
                type ipv4_addr
                size 522288
                flags interval
                auto-merge
        }

        set ipban {
                type ipv4_addr
                size 522288
                flags interval
                auto-merge
        }

        set nozapret {
                type ipv4_addr
                size 65536
                flags interval
                auto-merge
                elements = { 10.0.0.0/8, 169.254.0.0/16,
                             172.16.0.0/12, 192.168.0.0/16 }
        }

        set zapret6 {
                type ipv6_addr
                size 522288
                flags interval
                auto-merge
        }

        set ipban6 {
                type ipv6_addr
                size 522288
                flags interval
                auto-merge
        }

        set nozapret6 {
                type ipv6_addr
                size 65536
                flags interval
                auto-merge
                elements = { fc00::/7,
                             fe80::/10 }
        }

        set lanif {
                type ifname
                elements = { "br-lan" }
        }

        set wanif {
                type ifname
                elements = { "eth0" }
        }

        set wanif6 {
                type ifname
                elements = { "eth0" }
        }

        map link_local {
                type ifname : ipv6_addr
        }

        flowtable ft {
                hook ingress priority filter - 1
                devices = { br-lan, eth0 }
        }

        chain dnat_output {
                type nat hook output priority -101; policy accept;
        }

        chain dnat_pre {
                type nat hook prerouting priority dstnat - 1; policy accept;
        }

        chain forward {
                type filter hook forward priority filter - 1; policy accept;
                oifname @wanif jump flow_offload
                oifname @wanif6 jump flow_offload
        }

        chain input {
                type filter hook input priority filter - 1; policy accept;
                iif != "lo" jump localnet_protect
        }

        chain flow_offload {
                tcp dport { 80, 443 } ct original packets 1-6 ip daddr != @nozapret return comment "direct flow offloading exemption"
                tcp dport { 80, 443 } ct original packets 1-6 ip6 daddr != @nozapret6 return comment "direct flow offloading exemption"
                meta l4proto { tcp, udp } flow add @ft
                meta l4proto { tcp, udp } counter packets 1882534 bytes 1146359833 comment "if offload works here must not be too much traffic"
        }

        chain localnet_protect {
                ip daddr 127.0.0.127 return comment "route_localnet allow access to tpws"
                ip daddr 127.0.0.0/8 drop comment "route_localnet remote access protection"
        }

        chain postrouting {
                type filter hook postrouting priority srcnat - 1; policy accept;
        }

        chain postnat {
                type filter hook postrouting priority srcnat + 1; policy accept;
                oifname @wanif6 tcp dport { 80, 443 } ct original packets 1-6 meta mark & 0x40000000 == 0x00000000 ip6 daddr != @nozapret6 meta mark set meta mark | 0x20000000 queue flags bypass to 200
                oifname @wanif tcp dport { 80, 443 } ct original packets 1-6 meta mark & 0x40000000 == 0x00000000 ip daddr != @nozapret meta mark set meta mark | 0x20000000 queue flags bypass to 200
        }

        chain prerouting {
                type filter hook prerouting priority dstnat + 1; policy accept;
        }

        chain prenat {
                type filter hook prerouting priority dstnat - 1; policy accept;
                iifname @wanif6 tcp sport { 80, 443 } ct reply packets 1 ip6 saddr != @nozapret6 queue flags bypass to 200
                iifname @wanif tcp sport { 80, 443 } ct reply packets 1 ip saddr != @nozapret queue flags bypass to 200
        }

        chain predefrag {
                type filter hook output priority -401; policy accept;
                meta mark & 0x40000000 != 0x00000000 jump predefrag_nfqws comment "nfqws generated : avoid drop by INVALID conntrack state"
        }

        chain predefrag_nfqws {
                meta mark & 0x20000000 != 0x00000000 notrack comment "postnat traffic"
                ip frag-off != 0 notrack comment "ipfrag"
                exthdr frag exists notrack comment "ipfrag"
                tcp flags ! syn,rst,ack notrack comment "datanoack"
        }
}
table ip filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 1334 bytes 294029 jump ts-forward
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                counter packets 7070 bytes 761972 jump ts-input
        }

        chain ts-forward {
                iifname "tailscale0*" counter packets 0 bytes 0 meta mark set meta mark & 0xffff04ff | 0x00000400
                meta mark & 0x0000ff00 == 0x00000400 counter packets 0 bytes 0 accept
                oifname "tailscale0*" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
                oifname "tailscale0*" counter packets 0 bytes 0 accept
        }

        chain ts-input {
                iifname "lo*" ip saddr 100.68.254.23 counter packets 0 bytes 0 accept
                iifname != "tailscale0*" ip saddr 100.115.92.0/23 counter packets 0 bytes 0 return
                iifname != "tailscale0*" ip saddr 100.64.0.0/10 counter packets 0 bytes 0 drop
                iifname "tailscale0*" counter packets 0 bytes 0 accept
                udp dport 41641 counter packets 63 bytes 3780 accept
        }
}
table ip nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 243 bytes 19248 jump ts-postrouting
        }

        chain ts-postrouting {
                meta mark & 0x0000ff00 == 0x00000400 counter packets 0 bytes 0 masquerade
        }
}
table ip6 filter {
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
                counter packets 4698 bytes 2970442 jump ts-forward
        }

        chain INPUT {
                type filter hook input priority filter; policy accept;
                counter packets 7934 bytes 2144746 jump ts-input
        }

        chain ts-forward {
                iifname "tailscale0*" counter packets 0 bytes 0 meta mark set meta mark & 0xffff04ff | 0x00000400
                meta mark & 0x0000ff00 == 0x00000400 counter packets 0 bytes 0 accept
                oifname "tailscale0*" counter packets 0 bytes 0 accept
        }

        chain ts-input {
                iifname "lo*" ip6 saddr fd7a:115c:a1e0::b001:fe19 counter packets 0 bytes 0 accept
                iifname "tailscale0*" counter packets 0 bytes 0 accept
                udp dport 41641 counter packets 64 bytes 5888 accept
        }
}
table ip6 nat {
        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                counter packets 350 bytes 54885 jump ts-postrouting
        }

        chain ts-postrouting {
                meta mark & 0x0000ff00 == 0x00000400 counter packets 0 bytes 0 masquerade
        }
}

ubus call system board
{
        "kernel": "5.15.167",
        "hostname": "NanoPi",
        "system": "ARMv8 Processor rev 4",
        "model": "FriendlyElec NanoPi R2S",
        "board_name": "friendlyarm,nanopi-r2s",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "rockchip/armv8",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
        }
}

I get no output for opkg list-installed tailscale since I’m using their static binary form here

Sid · November 7, 2024, 12:37am

Just to add more info

logread shows tailscale uses nftables like this

daemon.err tailscaled[9267]: 2024/11/06 23:13:58 router: netfilter running in nftables mode, v6 = true
daemon.err tailscaled[9267]: 2024/11/06 23:13:58 envknob: TS_DEBUG_FIREWALL_MODE="nftables"

control: NetInfo: NetInfo{varies=false hairpin= ipv6=true ipv6os=true udp=true icmpv4=false derp=#6 portmap= link="" firewallmode="nft-forced"}

And running iptables-save gives this output

iptables-save
# Generated by iptables-save v1.8.8 (nf_tables) on Thu Nov  7 06:05:17 2024
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:ts-forward - [0:0]
:ts-input - [0:0]
-A INPUT -j ts-input
-A FORWARD -j ts-forward
-A ts-forward -i tailscale0+
-A ts-forward -m mark --mark 0x400/0xff00 -j ACCEPT
-A ts-forward -s 100.64.0.0/10 -o tailscale0+ -j DROP
-A ts-forward -o tailscale0+ -j ACCEPT
-A ts-input -s 100.68.254.23/32 -i lo+ -j ACCEPT
-A ts-input -s 100.115.92.0/23 ! -i tailscale0+ -j RETURN
-A ts-input -s 100.64.0.0/10 ! -i tailscale0+ -j DROP
-A ts-input -i tailscale0+ -j ACCEPT
-A ts-input -p udp -m udp --dport 41641 -j ACCEPT
COMMIT
# Completed on Thu Nov  7 06:05:17 2024
# Table `nat' is incompatible, use 'nft' tool.

brada4 · November 7, 2024, 6:58am

Ask them how to force nftables use.
Incompatible nat means rules got loaded using iptables.

Sid · November 7, 2024, 1:32pm

Thanks, I think I will just use Tailscale with netfilter-mode=off then.

I have tried the outdated version from Tailscale opkg package on 23.05.x and also used the latest package while on snapshots and I’ve observed the a similar warning appearing there too.

The openwrt github for Tailscale also mentions using nftables created by Tailscale themselves
here https://github.com/openwrt/packages/tree/master/net/tailscale

brada4 · November 7, 2024, 2:09pm

You can add tailscale binary replacing one in installed package.
It supports "clean" nftables too.

Sid · November 7, 2024, 2:26pm

You mean install tailscale from opkg and then update the /usr/sbin/tailscale and /usr/sbin/tailscaled with newer versions right?

brada4 · November 7, 2024, 2:28pm

Yep, then it will have nft dependencies and default configuration to use it.

Sid · November 7, 2024, 2:30pm

For some reason the Tailscale package is not available in opkg feeds currently

brada4 · November 7, 2024, 2:37pm

Press "update lists" , they are kept in ramdisk and go with reboot.

Sid · November 7, 2024, 2:46pm

I rebooted my router just in case and then ran update lists and still the package is missing. Was it removed from openwrt?

Sid · November 7, 2024, 4:09pm

@brada4 I installed the .ipk from here https://archive.openwrt.org/releases/23.05.4/packages/aarch64_generic/packages/ as it wasn’t available for aarch64_generic on 23.05.5 for some reason.

It worked since the Tailscale version is the same (1.58.2-1). But the same legacy rules warning persists even with this opkg package.

I think I’ll stick with using netfilter-mode=off