router_linux: fix behaviour when switching --netfilter-mode.

On startup, and when switching into =off and =nodivert, we were
deleting netfilter rules even if we weren't the ones that added them.

In order to avoid interfering with rules added by the sysadmin, we have
to be sure to delete rules only in the case that we added them in the
first place.

Signed-off-by: Avery Pennarun <apenwarr@tailscale.com>

wgengine/router/router_linux.go

@@ -106,13 +106,9 @@ func (r *linuxRouter) Up() error {
 	if err := r.delLegacyNetfilter(); err != nil {
 		return err
 	}
-	if err := r.delNetfilterHooks(); err != nil {
+	if err := r.setNetfilterMode(NetfilterOff); err != nil {
 		return err
 	}
-	if err := r.delNetfilterBase(); err != nil {
-		return err
-	}
-
 	if err := r.addBypassRule(); err != nil {
 		return err
 	}
@@ -130,10 +126,7 @@ func (r *linuxRouter) down() error {
 	if err := r.delBypassRule(); err != nil {
 		return err
 	}
-	if err := r.delNetfilterHooks(); err != nil {
-		return err
-	}
-	if err := r.delNetfilterBase(); err != nil {
+	if err := r.setNetfilterMode(NetfilterOff); err != nil {
 		return err
 	}
 
@@ -229,11 +222,18 @@ func (r *linuxRouter) setNetfilterMode(mode NetfilterMode) error {
 
 	switch mode {
 	case NetfilterOff:
-		if err := r.delNetfilterHooks(); err != nil {
-			return err
-		}
-		if err := r.delNetfilterBase(); err != nil {
-			return err
+		switch r.netfilterMode {
+		case NetfilterNoDivert:
+			if err := r.delNetfilterBase(); err != nil {
+				return err
+			}
+		case NetfilterOn:
+			if err := r.delNetfilterHooks(); err != nil {
+				return err
+			}
+			if err := r.delNetfilterBase(); err != nil {
+				return err
+			}
 		}
 		r.snatSubnetRoutes = false
 	case NetfilterNoDivert: