On 08/10/2022 19:39, Kevin P. Fleming wrote:
We need to deal with a similar situation, when there may be more than one entity mucking with the ruleset. The approach that we take now is that everyone who changes the ruleset must reflect the change in file in /etc/nftabled.d/ directory, that is included from /etc/nftables.conf. As long as there are no exceptions to that, it is always safe to flush and reload everything, and also should be possible to run --check.I wish I could do that, but the Tailscale VPN won't store the rules it needs in a file; it can be told *not* to much with the firewall at all, which means I could inject the necessary rules myself, but I wouldn't be able to know when a new version needs different rules. For now, just using separate tables (with priorities set appropriately) will work fine.
If you can execute something automatically after tailscale installs its rules, you could also dump them into a file at that moment yourself... E.g. define an ExecPost in a systemd unit extension.
Just an idea. I have no experience with tailscale. Eugene
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
