Andrew Lytvynov

1.66 added stateful filtering for packets going via the `tailscale0` interface, see https://tailscale.com/changelog#2024-05-08. But that should not affect packets from docker containers to the Internet. Another notable thing is that...

Thanks for the details, I reproduced the issue. Right now, `tailscale set --stateful-filtering=false` is the only workaround. Running it on a regular node (not exit node and not subnet router)...

@masterwishx just to clarify: * resolving full names, like `host.headscale.mysite.com` works * resolving short names, like `host` does not work If that's correct, that sounds like a different issue. Can...

1.66.4 is available and disables stateful filtering by default. We discussed doing more clever things, like detecting container runtimes and allowlisting their interfaces in our iptables/nftables rules, but that gets...

@icebladerage it appears that your host does not have conntrack installed, which is typically present on most Linux systems these days. Can you try `sudo apt install conntrack` and see...

Thanks for confirming! Please reopen this issue if you find that a fresh install has the same problem. We currently assume that conntrack is installed by default in most distros.

Tailscale RPMs are now signed on the [unstable track](https://pkgs.tailscale.com/unstable/). Stable track will be signed starting with next release (1.48). I will keep this ticket open until the next stable release,...

Reopening this because we had to disable `gpgcheck` in the repo because 1.48.0 release was withdrawn for Linux. Also, we might need to repackage all old RPM packages, with signing,...

`gpgcheck` is enabled again on stable RPM repo. All releases since 1.48.1 are signed. Older releases are not and their installation will fail. Please report if you get installation failures...

@dolceAlka can you confirm whether 1.66.4 fixes your issues? It's important to differentiate `src` and `dst` in your ACLs. If you want to use Mullvad (or any other exit node)...