Skip to content

Fix forwarding for local tailnet connections#663

Open
lmagyar wants to merge 1 commit into
hassio-addons:mainfrom
lmagyar:pr-fix-forwarding
Open

Fix forwarding for local tailnet connections#663
lmagyar wants to merge 1 commit into
hassio-addons:mainfrom
lmagyar:pr-fix-forwarding

Conversation

@lmagyar

@lmagyar lmagyar commented Apr 8, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Collaborator

Proposed Changes

This PR:

  • adds the forwarding not only to the PREROUTING but to the OUTPUT chain also
  • removes "fix by documentation"

This fixes eg. MagicDNS + local AdGuard add-on/app config:

  • if device's (AdGuard's) local tailnet IP is configured as global TS nameserver
    • HA's DNS queries MagicDNS
    • MagicDNS will access the local tailnet IP, and that is redirected to the eth0 interface by the OUTPUT chain
    • AdGuard can answer it
  • if no global TS nameservers are configured
    • HA's DNS query MagicDNS, it fails on non-tailnet addresses
    • HA's DNS resolves the address "locally" (maybe AdGuard's local LAN address also configured as fallback, or goes immediately to the LAN router or 1.1.1.1 as final fallback)

Related Issues

Summary by CodeRabbit

  • New Features

    • Extended network forwarding to support both incoming and local connections, improving device connectivity options.

  • Bug Fixes

    • Removed confusing DNS configuration guidance and unnecessary user notices to streamline setup experience.

  • Documentation

    • Removed outdated DNS loop workaround documentation that is no longer applicable.

@lmagyar lmagyar added the bugfix Inconsistencies or issues which will cause a problem for users or implementors. label Apr 8, 2026
@coderabbitai

coderabbitai Bot commented Apr 8, 2026
edited
Loading

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 278974ee-3f90-4715-98bf-536d7f027e3d

📥 Commits

Reviewing files that changed from the base of the PR and between 25b151d and c1673e5.

📒 Files selected for processing (4)
  • tailscale/DOCS.md
  • tailscale/rootfs/etc/s6-overlay/s6-rc.d/forwarding/finish
  • tailscale/rootfs/etc/s6-overlay/s6-rc.d/forwarding/run
  • tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-ingress-proxy/run
💤 Files with no reviewable changes (2)
  • tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-ingress-proxy/run
  • tailscale/DOCS.md

Walkthrough

Modified network forwarding logic to handle both PREROUTING and OUTPUT iptables chains for IPv4 and IPv6, removed related DNS configuration documentation, and cleaned up a log notice in the MagicDNS ingress proxy initialization script.

Changes

Cohort / File(s) Summary
Documentation
tailscale/DOCS.md		 Removed guidance about DNS loop scenarios and workarounds when running local DNS services on the Home Assistant device.
Forwarding Scripts
tailscale/rootfs/etc/s6-overlay/s6-rc.d/forwarding/run, tailscale/rootfs/etc/s6-overlay/s6-rc.d/forwarding/finish		 Updated setup_forwarding and remove_forwarding function signatures to accept chain and name parameters; expanded NAT rule handling from PREROUTING chain only to both PREROUTING ("incoming") and OUTPUT ("local") chains for IPv4/IPv6; updated logging to reflect rule context.
MagicDNS Initialization
tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-ingress-proxy/run		 Removed a log notice instructing users to ignore MagicDNS configuration when using upstream DNS servers.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

Suggested reviewers

  • frenck

Poem

🐰 Hops through the chains with glee,
PREROUTING and OUTPUT, now set free,
DNS docs tidied, logs made neat,
Forwarding rules, a complete treat!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Fix forwarding for local tailnet connections' accurately reflects the main changes: adding OUTPUT chain forwarding rules for local tailnet DNS connections alongside existing PREROUTING rules.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.

@github-actions github-actions Bot added the stale There has not been activity on this issue or PR for quite some time. label May 8, 2026
@lmagyar lmagyar added no-stale This issue or PR is exempted from the stable bot. and removed stale There has not been activity on this issue or PR for quite some time. labels May 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bugfix Inconsistencies or issues which will cause a problem for users or implementors. no-stale This issue or PR is exempted from the stable bot.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lmagyar