From 3fdac0f9817e1b9416d23bac91ac607df74ba820 Mon Sep 17 00:00:00 2001
From: David Anderson <dave@natulte.net>
Date: Thu, 5 May 2022 18:15:54 -0700
Subject: [PATCH] nixos/tailscale: warn if strict reverse path filtering is in
 use.

Tailscale uses policy routing to enable certain traffic to bypass
routes that lead into the Tailscale mesh. NixOS's reverse path
filtering setup doesn't understand the policy routing at play,
and so incorrectly interprets some of this traffic as spoofed.

Since this only breaks some features of Tailscale, merely warn
users about it, rather than make it a hard error.

Updates tailscale/tailscale#4432

Signed-off-by: David Anderson <dave@natulte.net>
---
 nixos/modules/services/networking/tailscale.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/services/networking/tailscale.nix b/nixos/modules/services/networking/tailscale.nix
index b46da401dd8..0133874d0e0 100644
--- a/nixos/modules/services/networking/tailscale.nix
+++ b/nixos/modules/services/networking/tailscale.nix
@@ -2,7 +2,11 @@
 
 with lib;
 
-let cfg = config.services.tailscale;
+let
+  cfg = config.services.tailscale;
+  firewallOn = config.networking.firewall.enable;
+  rpfMode = config.networking.firewall.checkReversePath;
+  rpfIsStrict = rpfMode == true || rpfMode == "strict";
 in {
   meta.maintainers = with maintainers; [ danderson mbaillie twitchyliquid64 ];
 
@@ -36,6 +40,7 @@ in {
   };
 
   config = mkIf cfg.enable {
+    warnings = optional (firewallOn && rpfIsStrict) "Strict reverse path filtering breaks Tailscale exit node use and some subnet routing setups. Consider setting `networking.firewall.checkReversePath` = 'loose'";
     environment.systemPackages = [ cfg.package ]; # for the CLI
     systemd.packages = [ cfg.package ];
     systemd.services.tailscaled = {