util/linuxfw,wgengine/router: add new netfilter rules for HA ingresses (#15896)

Add new rules to update DNAT rules for Kubernetes operator's
HA ingress where it's expected that rules will be added/removed
frequently (so we don't want to keep old rules around or rewrite
existing rules unnecessarily):
- allow deleting DNAT rules using metadata lookup
- allow inserting DNAT rules if they don't already
exist (using metadata lookup)

Updates tailscale/tailscale#15895

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Co-authored-by: chaosinthecrd <tom@tmlabs.co.uk>

util/linuxfw/nftables_for_svcs.go

@@ -119,6 +119,63 @@ func (n *nftablesRunner) DeleteSvc(svc, tun string, targetIPs []netip.Addr, pm [
 	return n.conn.Flush()
 }
 
+// EnsureDNATRuleForSvc adds a DNAT rule that forwards traffic from the
+// VIPService IP address to a local address. This is used by the Kubernetes
+// operator's network layer proxies to forward tailnet traffic for VIPServices
+// to Kubernetes Services.
+func (n *nftablesRunner) EnsureDNATRuleForSvc(svc string, origDst, dst netip.Addr) error {
+	t, ch, err := n.ensurePreroutingChain(origDst)
+	if err != nil {
+		return fmt.Errorf("error ensuring chain for %s: %w", svc, err)
+	}
+	meta := svcRuleMeta(svc, origDst, dst)
+	rule, err := n.findRuleByMetadata(t, ch, meta)
+	if err != nil {
+		return fmt.Errorf("error looking up rule: %w", err)
+	}
+	if rule != nil {
+		return nil
+	}
+	rule = dnatRuleForChain(t, ch, origDst, dst, meta)
+	n.conn.InsertRule(rule)
+	return n.conn.Flush()
+}
+
+// DeleteDNATRuleForSvc deletes a DNAT rule created by EnsureDNATRuleForSvc.
+// We use the metadata attached to the rule to look it up.
+func (n *nftablesRunner) DeleteDNATRuleForSvc(svcName string, origDst, dst netip.Addr) error {
+	table, err := n.getNFTByAddr(origDst)
+	if err != nil {
+		return fmt.Errorf("error setting up nftables for IP family of %s: %w", origDst, err)
+	}
+	t, err := getTableIfExists(n.conn, table.Proto, "nat")
+	if err != nil {
+		return fmt.Errorf("error checking if nat table exists: %w", err)
+	}
+	if t == nil {
+		return nil
+	}
+	ch, err := getChainFromTable(n.conn, t, "PREROUTING")
+	if errors.Is(err, errorChainNotFound{tableName: "nat", chainName: "PREROUTING"}) {
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("error checking if chain PREROUTING exists: %w", err)
+	}
+	meta := svcRuleMeta(svcName, origDst, dst)
+	rule, err := n.findRuleByMetadata(t, ch, meta)
+	if err != nil {
+		return fmt.Errorf("error checking if rule exists: %w", err)
+	}
+	if rule == nil {
+		return nil
+	}
+	if err := n.conn.DelRule(rule); err != nil {
+		return fmt.Errorf("error deleting rule: %w", err)
+	}
+	return n.conn.Flush()
+}
+
 func portMapRule(t *nftables.Table, ch *nftables.Chain, tun string, targetIP netip.Addr, matchPort, targetPort uint16, proto uint8, meta []byte) *nftables.Rule {
 	var fam uint32
 	if targetIP.Is4() {
@@ -243,3 +300,10 @@ func protoFromString(s string) (uint8, error) {
 		return 0, fmt.Errorf("unrecognized protocol: %q", s)
 	}
 }
+
+// svcRuleMeta generates metadata for a rule.
+// This metadata can then be used to find the rule.
+// https://github.com/google/nftables/issues/48
+func svcRuleMeta(svcName string, origDst, dst netip.Addr) []byte {
+	return []byte(fmt.Sprintf("svc:%s,VIP:%s,ClusterIP:%s", svcName, origDst.String(), dst.String()))
+}