linuxfw,wgengine/route,ipn: add c2n and nodeattrs to control linux netfilter

Updates tailscale/corp#14029. Signed-off-by: Naman Sood <mail@nsood.in>
2025-10-11 03:12:30 +00:00 · 2023-12-04 12:08:56 -05:00
parent 215f657a5e
commit 0a59754eda
15 changed files with 171 additions and 12 deletions
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -69,6 +69,9 @@ var c2nHandlers = map[methodAndPath]c2nHandler{

 	// App Connectors.
 	req("GET /appconnector/routes"): handleC2NAppConnectorDomainRoutesGet,
+
+	// Linux netfilter.
+	req("POST /netfilter-kind"): handleC2NSetNetfilterKind,
 }

 type c2nHandler func(*LocalBackend, http.ResponseWriter, *http.Request)
@@ -222,6 +225,32 @@ func handleC2NAppConnectorDomainRoutesGet(b *LocalBackend, w http.ResponseWriter
 	json.NewEncoder(w).Encode(res)
 }

+func handleC2NSetNetfilterKind(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
+	b.logf("c2n: POST /netfilter-kind received")
+
+	if version.OS() != "linux" {
+		http.Error(w, "netfilter kind only settable on linux", http.StatusNotImplemented)
+	}
+
+	kind := r.FormValue("kind")
+	b.logf("c2n: switching netfilter to %s", kind)
+
+	_, err := b.EditPrefs(&ipn.MaskedPrefs{
+		NetfilterKindSet: true,
+		Prefs: ipn.Prefs{
+			NetfilterKind: kind,
+		},
+	})
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	b.authReconfig()
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
 func handleC2NUpdateGet(b *LocalBackend, w http.ResponseWriter, r *http.Request) {
 	b.logf("c2n: GET /update received")