router_linux: fix behaviour when switching --netfilter-mode.

On startup, and when switching into =off and =nodivert, we were deleting netfilter rules even if we weren't the ones that added them. In order to avoid interfering with rules added by the sysadmin, we have to be sure to delete rules only in the case that we added them in the first place. Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>
2020-05-28 05:52:33 -04:00
parent a496cdc943
commit 9ff51909a3
2 changed files with 16 additions and 16 deletions
--- a/cmd/tailscale/tailscale.go
+++ b/cmd/tailscale/tailscale.go
@ -212,10 +212,10 @@ func runUp(ctx context.Context, args []string) error {
 			prefs.NetfilterMode = router.NetfilterOn
 		case "nodivert":
 			prefs.NetfilterMode = router.NetfilterNoDivert
-			warning("netfilter in nodivert mode, you must add calls to Tailscale netfilter chains manually")
+			warning("netfilter=nodivert; add iptables calls to ts-* chains manually.")
 		case "off":
 			prefs.NetfilterMode = router.NetfilterOff
-			warning("netfilter management disabled, you must write a secure packet filter yourself")
+			warning("netfilter=off; configure iptables yourself.")
 		default:
 			log.Fatalf("invalid value --netfilter-mode: %q", upArgs.netfilterMode)
 		}