From f2e83e42eb0c7157d1e390b4693c55027eb93a16 Mon Sep 17 00:00:00 2001
From: Caleb Connolly <caleb@postmarketos.org>
Date: Sat, 22 Mar 2025 16:33:37 +0000
Subject: [PATCH] systemd-services/tailscale: use nftables backend

The iptables frontend for nftables seems to not play nice. Since we use
nftables in postmarketOS anyway, tell tailscale to use it directly. This
fixes routing not working and the following error seen in tailscale status

- adding [-i tailscale0 -j MARK --set-mark 0x40000/0xff0000] in v4/filter/ts-forward: running [/usr/sbin/iptables -t filter -A ts-forward -i tailscale0 -j MARK --set-mark 0x40000/0xff0000 --wait]: exit status 2: Warning: Extension MARK revision 0 not supported, missing kernel module?

Signed-off-by: Caleb Connolly <caleb@postmarketos.org>
Part-of: https://gitlab.postmarketos.org/postmarketOS/pmaports/-/merge_requests/6344
---
 extra-repos/systemd/systemd-services/APKBUILD              | 4 ++--
 .../systemd/systemd-services/etc-default-tailscaled        | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/extra-repos/systemd/systemd-services/APKBUILD b/extra-repos/systemd/systemd-services/APKBUILD
index ffbd59b3583..48e8f51c636 100644
--- a/extra-repos/systemd/systemd-services/APKBUILD
+++ b/extra-repos/systemd/systemd-services/APKBUILD
@@ -8,7 +8,7 @@
 pkgname=systemd-services
 # 1. bump pkgver
 pkgver=63
-pkgrel=2
+pkgrel=3
 pkgdesc="Systemd service files"
 url="https://postmarketos.org"
 arch="noarch"
@@ -383,7 +383,7 @@ d5bf5f01c0feafab4edfc39b75eded608dc3efcd3b918739e3ed2ab11340c9cc9b6fb97c0706ddd3
 be9df5e3fd9c88ec1a8db4aa2d9e8075d74ee3d2670aa3cfc611df3cff4d4041ac888a0338c9d5f134bbc69aa32eb52ac40eb3e0981813afa18389cba14d3818  system-sleep-inhibitor.service
 399cd971b02e4b8bdfe60808ab1beac111b8618358f89a4482cafde1d19fe0a943d2ef6c20f5ad853581a85ab2297065187ade83eac7a664bd47412d0df7b2b6  user-syncthing.service
 41547eb369937348378e898e0dda7151552056107f4daab5a8a137a1b846560afa923cd345037b4f96bc9cdf2a7f66211a346b77229cc07ce2d0b634ff40dfe7  system-tailscaled.service
-324935213f1600e345acdfa70eae29181e9ee02e3aca6a03776ea4856137f72b5791e23aea46210cc756065cadd88fd1b8eb4b26a608fec94f662d683fcb9320  etc-default-tailscaled
+de63ecafaffc675f21d2a4b1e6b7e2c5464c03f7b2f79094d7f719c295190ac28b3cd85ba99a17bb9042d77ec323a6ffb5f108e33d28b6e7820d09250daadd57  etc-default-tailscaled
 23f854fa2d0e0cb4de54db8605e549bb32061470ea7fa8ac16d474149be635e2b20a815c4ea8088e583693d7f515651ad2872b45f3b38a762f686b977d4fc49d  system-tinydm.service
 c569b27925297672c479e12a6425abdf5791886fff77c2c2b67b7aa9277eb0a22e7b95b52dbc225870c97460d0988a4dae18ed864e19096c704c0895de55b699  system-tqftpserv.service
 c7ea2b18c9d8f82306fbaca6d07b7019de3819d7898c3f50c3d0aceef4da4d311ed3bf31385e2f8998b8e3e326b1eb13309ffd44cf1b2d9db9b40bca00222c16  system-udisks2.service
diff --git a/extra-repos/systemd/systemd-services/etc-default-tailscaled b/extra-repos/systemd/systemd-services/etc-default-tailscaled
index e8384a4f820..b659e209183 100644
--- a/extra-repos/systemd/systemd-services/etc-default-tailscaled
+++ b/extra-repos/systemd/systemd-services/etc-default-tailscaled
@@ -6,3 +6,10 @@ PORT="41641"
 
 # Extra flags you might want to pass to tailscaled.
 FLAGS=""
+
+# postmarketOS uses nftables by default, and tailscale has
+# some issues with the iptables frontend for it. So just
+# tell tailscale to use the nftables backend for routing
+# configuration.
+TS_DEBUG_FIREWALL_MODE=nftables
+
-- 
GitLab