From 9ff51909a3bbed6070a21d13aac3f0eb5b194cb6 Mon Sep 17 00:00:00 2001
From: Avery Pennarun <apenwarr@tailscale.com>
Date: Thu, 28 May 2020 05:52:33 -0400
Subject: [PATCH] router_linux: fix behaviour when switching --netfilter-mode.

On startup, and when switching into =off and =nodivert, we were
deleting netfilter rules even if we weren't the ones that added them.

In order to avoid interfering with rules added by the sysadmin, we have
to be sure to delete rules only in the case that we added them in the
first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
---
 cmd/tailscale/tailscale.go      |  4 ++--
 wgengine/router/router_linux.go | 28 ++++++++++++++--------------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/cmd/tailscale/tailscale.go b/cmd/tailscale/tailscale.go
index 34a225997..447747313 100644
--- a/cmd/tailscale/tailscale.go
+++ b/cmd/tailscale/tailscale.go
@@ -212,10 +212,10 @@ func runUp(ctx context.Context, args []string) error {
 			prefs.NetfilterMode = router.NetfilterOn
 		case "nodivert":
 			prefs.NetfilterMode = router.NetfilterNoDivert
-			warning("netfilter in nodivert mode, you must add calls to Tailscale netfilter chains manually")
+			warning("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = router.NetfilterOff
-			warning("netfilter management disabled, you must write a secure packet filter yourself")
+			warning("netfilter=off; configure iptables yourself.")
 		default:
 			log.Fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
 		}
diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index 449bf5050..c5824c554 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -106,13 +106,9 @@ func (r *linuxRouter) Up() error {
 	if err := r.delLegacyNetfilter(); err != nil {
 		return err
 	}
-	if err := r.delNetfilterHooks(); err != nil {
+	if err := r.setNetfilterMode(NetfilterOff); err != nil {
 		return err
 	}
-	if err := r.delNetfilterBase(); err != nil {
-		return err
-	}
-
 	if err := r.addBypassRule(); err != nil {
 		return err
 	}
@@ -130,10 +126,7 @@ func (r *linuxRouter) down() error {
 	if err := r.delBypassRule(); err != nil {
 		return err
 	}
-	if err := r.delNetfilterHooks(); err != nil {
-		return err
-	}
-	if err := r.delNetfilterBase(); err != nil {
+	if err := r.setNetfilterMode(NetfilterOff); err != nil {
 		return err
 	}
 
@@ -229,11 +222,18 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 
 	switch mode {
 	case NetfilterOff:
-		if err := r.delNetfilterHooks(); err != nil {
-			return err
-		}
-		if err := r.delNetfilterBase(); err != nil {
-			return err
+		switch r.netfilterMode {
+		case NetfilterNoDivert:
+			if err := r.delNetfilterBase(); err != nil {
+				return err
+			}
+		case NetfilterOn:
+			if err := r.delNetfilterHooks(); err != nil {
+				return err
+			}
+			if err := r.delNetfilterBase(); err != nil {
+				return err
+			}
 		}
 		r.snatSubnetRoutes = false
 	case NetfilterNoDivert: