From 2685484f26a4479c8a9340faea684aaa7f17f375 Mon Sep 17 00:00:00 2001
From: Irbe Krumina <irbe@tailscale.com>
Date: Wed, 26 Mar 2025 01:48:01 +0000
Subject: [PATCH] Bump Alpine, link iptables back to legacy (#15428)

Bumps Alpine 3.18 -> 3.19.

Alpine 3.19 links iptables to nftables-based
implementation that can break hosts that don't
support nftables.
Link iptables back to the legacy implementation
till we have some certainty that changing to
nftables based implementation will not break existing
setups.

Updates tailscale/tailscale#15328

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
---
 ALPINE.txt      |  2 +-
 Dockerfile      |  4 +++-
 Dockerfile.base | 11 +++++++++--
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/ALPINE.txt b/ALPINE.txt
index 55b698c77..318956c3d 100644
--- a/ALPINE.txt
+++ b/ALPINE.txt
@@ -1 +1 @@
-3.18
\ No newline at end of file
+3.19
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 32cb92ab0..015022e49 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -62,8 +62,10 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\
       -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
       -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
 
-FROM alpine:3.18
+FROM alpine:3.19
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
+RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
diff --git a/Dockerfile.base b/Dockerfile.base
index eb4f0a02a..b7e79a43c 100644
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,5 +1,12 @@
 # Copyright (c) Tailscale Inc & AUTHORS
 # SPDX-License-Identifier: BSD-3-Clause
 
-FROM alpine:3.18
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
+FROM alpine:3.19
+RUN apk add --no-cache ca-certificates iptables iptables-legacy iproute2 ip6tables iputils
+# Alpine 3.19 replaces legacy iptables with nftables based implementation.  We
+# can't be certain that all hosts that run Tailscale containers currently
+# suppport nftables, so link back to legacy for backwards compatibility reasons.
+# TODO(irbekrm): add some way how to determine if we still run on nodes that
+# don't support nftables, so that we can eventually remove these symlinks.
+RUN rm /sbin/iptables && ln -s /sbin/iptables-legacy /sbin/iptables
+RUN rm /sbin/ip6tables && ln -s /sbin/ip6tables-legacy /sbin/ip6tables