From 723b9af21a17d3af38bb66c7ad5e3548fd590142 Mon Sep 17 00:00:00 2001 From: Irbe Krumina Date: Wed, 10 Dec 2025 18:57:51 +0000 Subject: [PATCH] Dockerfile,Dockerfile.base: link iptables to legacy binary (#18177) Re-instate the linking of iptables installed in Tailscale container to the legacy iptables version. In environments where the legacy iptables is not needed, we should be able to run nftables instead, but this will ensure that Tailscale keeps working in environments that don't support nftables, such as some Synology NAS hosts. Updates #17854 Signed-off-by: Irbe Krumina --- Dockerfile | 4 ++-- Dockerfile.base | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index c546cf657..68e7caa3e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -73,8 +73,8 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\ FROM alpine:3.22 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables -RUN ln -s /sbin/iptables-legacy /sbin/iptables -RUN ln -s /sbin/ip6tables-legacy /sbin/ip6tables +RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables +RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables COPY --from=build-env /go/bin/* /usr/local/bin/ # For compat with the previous run.sh, although ideally you should be diff --git a/Dockerfile.base b/Dockerfile.base index 6c3c8ed08..bd68e1572 100644 --- a/Dockerfile.base +++ b/Dockerfile.base @@ -8,5 +8,5 @@ RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tabl # suppport nftables, so link back to legacy for backwards compatibility reasons. # TODO(irbekrm): add some way how to determine if we still run on nodes that # don't support nftables, so that we can eventually remove these symlinks. -RUN ln -s /sbin/iptables-legacy /sbin/iptables -RUN ln -s /sbin/ip6tables-legacy /sbin/ip6tables +RUN rm /usr/sbin/iptables && ln -s /usr/sbin/iptables-legacy /usr/sbin/iptables +RUN rm /usr/sbin/ip6tables && ln -s /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables