From cd01bcc3957fde45b3379ba190339e63b2deb7a8 Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@tailscale.com>
Date: Mon, 11 May 2020 23:41:29 +0000
Subject: [PATCH] wgengine/router: allow loopback traffic from our own IP(s).

Signed-off-by: David Anderson <danderson@tailscale.com>
---
 wgengine/router/router_linux.go | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index 13a07380f..1b07118fc 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -318,18 +318,30 @@ func (r *linuxRouter) restoreResolvConf() error {
 	return nil
 }
 
-// addAddress adds an IP/mask to the tunnel interface. Fails if the
-// address is already assigned to the interface, or if the addition
-// fails.
+// addAddress adds an IP/mask to the tunnel interface, and firewall
+// rules to permit loopback traffic. Fails if the address is already
+// assigned to the interface, or if the addition fails.
 func (r *linuxRouter) addAddress(addr netaddr.IPPrefix) error {
-	return cmd("ip", "addr", "add", addr.String(), "dev", r.tunname)
+	if err := cmd("ip", "addr", "add", addr.String(), "dev", r.tunname); err != nil {
+		return err
+	}
+	if err := r.ipt4.Insert("filter", "ts-input", 1, "-i", "lo", "-s", addr.IP.String(), "-j", "ACCEPT"); err != nil {
+		return err
+	}
+	return nil
 }
 
-// delAddress removes an IP/mask from the tunnel interface. Fails if
-// the address is not assigned to the interface, or if the removal
-// fails.
+// delAddress removes an IP/mask from the tunnel interface, and
+// firewall rules permitting loopback traffic. Fails if the address is
+// not assigned to the interface, or if the removal fails.
 func (r *linuxRouter) delAddress(addr netaddr.IPPrefix) error {
-	return cmd("ip", "addr", "del", addr.String(), "dev", r.tunname)
+	if err := r.ipt4.Delete("filter", "ts-input", "-i", "lo", "-s", addr.IP.String(), "-j", "ACCEPT"); err != nil {
+		return err
+	}
+	if err := cmd("ip", "addr", "del", addr.String(), "dev", r.tunname); err != nil {
+		return err
+	}
+	return nil
 }
 
 // normalizeCIDR returns cidr as an ip/mask string, with the host bits