From 25a8daf405a9db68187989428548405fa0a94d65 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Tue, 15 Aug 2023 10:11:38 -0700
Subject: [PATCH] wgengine/router: always use nftables mode on gokrazy

Updates gokrazy/gokrazy#209

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 wgengine/router/router_linux.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index 40818267a..2317f2a9b 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -76,6 +76,11 @@ func (l *linuxFWDetector) nftDetect() (int, error) {
 // chooseFireWallMode returns the firewall mode to use based on the
 // environment and the system's capabilities.
 func chooseFireWallMode(logf logger.Logf, det tableDetector) linuxfw.FirewallMode {
+	if distro.Get() == distro.Gokrazy {
+		// Reduce startup logging on gokrazy. There's no way to do iptables on
+		// gokrazy anyway.
+		return linuxfw.FirewallModeNfTables
+	}
 	iptAva, nftAva := true, true
 	iptRuleCount, err := det.iptDetect()
 	if err != nil {