From 84b1d447ae5e3bc2401bd6a683cf8c13b12faa5f Mon Sep 17 00:00:00 2001
From: Frank Edwards <frank.edwards@fluentnetworks.com.au>
Date: Sat, 1 Feb 2025 15:08:13 +1000
Subject: [PATCH] 0.1.35

Revert from nftables to Alpine 3.19 + iptables-legacy
Added note re netfliter-mode flag in README
---
 Dockerfile   | 5 ++++-
 README.md    | 4 +++-
 build.sh     | 2 +-
 tailscale.sh | 3 ---
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e679f2e..001c2cb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -60,7 +60,10 @@ RUN upx /go/bin/tailscale && upx /go/bin/tailscaled
 
 FROM alpine:3.19
 
-RUN apk add --no-cache ca-certificates nftables iproute2 bash openssh curl jq
+RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 bash openssh curl jq
+
+RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
+RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables
 
 RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa
 RUN ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa
diff --git a/README.md b/README.md
index 6fdd498..0a21683 100644
--- a/README.md
+++ b/README.md
@@ -74,7 +74,9 @@ This section follows the Mikrotik Container documentation with additional steps
 | CONTAINER_GATEWAY | The container bridge (veth1) IP address on the router |                                              |
 | LOGIN_SERVER      | Headscale login server                        | Only required for Headscale control server. Do not set if using Tailscale       |
 | UPDATE_TAILSCALE      | Update tailscale on container startup                         |       |
-| TAILSCALE_ARGS    | Additional arguments passed to tailscale      | Optional. Note ```---accept-routes``` is required to accept the advertised routes of the other subnet routers |
+| TAILSCALE_ARGS    | Additional arguments passed to tailscale      | Optional. Note:
+```--accept-routes``` is required to accept the advertised routes of the other subnet routers.
+```--netfilter-mode``` controls the degree of firewall configuration using iptables. See [tailscale up](https://tailscale.com/kb/1241/tailscale-up). |
 | TAILSCALED_ARGS   | Additional arguments passed to tailscaled     | Optional                                     |
 | STARTUP_SCRIPT    | Extra script to execute in container before tailscaled | Optional |
 
diff --git a/build.sh b/build.sh
index 6eb9115..0038293 100755
--- a/build.sh
+++ b/build.sh
@@ -28,7 +28,7 @@
 #
 PLATFORM="linux/amd64"
 TAILSCALE_VERSION=1.78.1
-VERSION=0.1.34
+VERSION=0.1.35
 
 set -eu
 
diff --git a/tailscale.sh b/tailscale.sh
index 931ee91..3422ac9 100755
--- a/tailscale.sh
+++ b/tailscale.sh
@@ -38,9 +38,6 @@ if [[ -n "$STARTUP_SCRIPT" ]]; then
        bash "$STARTUP_SCRIPT" || exit $?
 fi
 
-# Flag tailscale to use nftables
-TS_DEBUG_FIREWALL_MODE=nftables
-
 # Start tailscaled and bring tailscale up
 /usr/local/bin/tailscaled ${TAILSCALED_ARGS} &
 until /usr/local/bin/tailscale up \