From 080577e0f380362b61909d3deca31e70c24d078c Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <hg@lukegb.com>
Date: Wed, 2 Mar 2022 00:32:31 +0000
Subject: [PATCH] swann: fix tailscale outbound

Tailscale adds a policy-based routing rule at priority 5200-ish, which is
before all the rules that we add. This avoids any Tailscale traffic going
out... over Tailscale, which would be bad.

Anyway, this breaks us because our main table is empty, so there's nowhere
for the Tailscale traffic to actually go. Oops.

Instead, use policy-based routing to send things over our WG tunnel, or over
any of our upstream connections depending on what's available.
---
 ops/nixos/swann/default.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ops/nixos/swann/default.nix b/ops/nixos/swann/default.nix
index 138d78dac2..0b6454835f 100644
--- a/ops/nixos/swann/default.nix
+++ b/ops/nixos/swann/default.nix
@@ -157,6 +157,16 @@ in {
         '';
       addRules = map ruleToLine rules;
     in ''
+      # Fix Tailscale, by adding routing rules just before the one they add at prio 5200.
+      ip -4 rule del priority 5196 || true
+      ip -4 rule del priority 5197 || true
+      ip -4 rule del priority 5198 || true
+      ip -4 rule del priority 5199 || true
+      ip -4 rule add from all fwmark 0x80000 lookup 150 priority 5196
+      ip -4 rule add from all fwmark 0x80000 lookup 151 priority 5197
+      ip -4 rule add from all fwmark 0x80000 lookup 152 priority 5198
+      ip -4 rule add from all fwmark 0x80000 lookup 153 priority 5199
+
       ${lib.concatStringsSep "\n" clearRules}
       ${lib.concatStringsSep "\n" addRules}