Re-add tailscale nftables rules after `systemctl nftables reload` or `flush ruleset`

[eric-eisenhart]

What is the issue?

If we run systemctl reload nftables, all of tailscaled's nftables rules go away and don't return.

Steps to reproduce

I'm trying this on a Rocky9 server, but I assume any Linux system running nftables would have similar results.

1. /etc/sysconfig/nftables.conf contains (amongst other things):

   #!/usr/sbin/nft -f
   flush ruleset
   table inet filter {
   chain INPUT {
       type filter hook input priority 0
       policy drop
       ct state established,related accept
       ct state invalid drop
       meta l4proto { icmp, icmpv6 } accept
       iifname "lo" accept
   }
   include "/etc/nftables/rulesets/*.conf"
   } 

2. Start tailscaled service after nftables is started

3. Run nft list ruleset and see the various ts rules.

4. Run systemctl reload nftables

5. Run nft list ruleset and don't see those ts rules anymore.

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

Rocky Linux 9

Tailscale version

1.64.0

Other software

nftables

Bug report

BUG-e21a5b4011b9f4086d992c3aad05ad34a69de98d89125310fcb0392f248b044b-20240429194454Z-6508a65bc349063a

[eric-eisenhart]

This can be mitigated with:

• /etc/systemd/system/tailscaled.service.d/override.conf

  [Unit]
  BindsTo=nftables.service
  Requires=nftables.service

• /etc/systemd/system/nftables.service.d/override.conf

  [Service]
  ExecReload=/bin/systemctl restart tailscaled

But the tailscaled.service override likely has some unintended side-effects (restarting tailscaled when it doesn't need to be) and putting a systemctl restart tailscaled in another service's config is definitely not doing things the proper systemd way.