util/linuxfw: add container-friendly IPv6 NAT check (#11353)

Remove IPv6 NAT check when routing is being set up
using nftables.
This is unnecessary as support for nftables was
added after support for IPv6.
https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html
https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources

Additionally, run an extra check for IPv6 NAT support
when the routing is set up with iptables.
This is because the earlier checks rely on
being able to use modprobe and on /proc/net/ip6_tables_names
being populated on start - these conditions are usually not
true in container environments.

Updates tailscale/tailscale#11344

Signed-off-by: Irbe Krumina <irbe@tailscale.com>

util/linuxfw/nftables_runner.go

@@ -551,12 +551,15 @@ func newNfTablesRunner(logf logger.Logf) (*nftablesRunner, error) {
 		logf("disabling tunneled IPv6 due to system IPv6 config: %v", v6err)
 	}
 	supportsV6 := v6err == nil
-	supportsV6NAT := supportsV6 && checkSupportsV6NAT()
-
 	var nft6 *nftable
+
 	if supportsV6 {
-		logf("v6nat availability: %v", supportsV6NAT)
 		nft6 = &nftable{Proto: nftables.TableFamilyIPv6}
+		// Kernel support for nftables was added after support for IPv6
+		// NAT, so no need for a separate IPv6 NAT support check.
+		// https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s04.html
+		// https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources
+		logf("v6nat availability: true")
 	}
 
 	// TODO(KevinLiang10): convert iptables rule to nftable rules if they exist in the iptables
@@ -566,7 +569,7 @@ func newNfTablesRunner(logf logger.Logf) (*nftablesRunner, error) {
 		nft4:           nft4,
 		nft6:           nft6,
 		v6Available:    supportsV6,
-		v6NATAvailable: supportsV6NAT,
+		v6NATAvailable: supportsV6, // if nftables are supported, IPv6 NAT is supported
 	}, nil
 }