cmd/tta, vnet: add host firewall, env var support, more tests

In particular, tests showing that #3824 works. But that test doesn't
actually work yet; it only gets a DERP connection. (why?)

Updates #13038

Change-Id: Ie1fd1b6a38d4e90fae7e72a0b9a142a95f0b2e8f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

tstest/natlab/vnet/conf.go

@@ -70,6 +70,16 @@ func (c *Config) AddNode(opts ...any) *Node {
 				o.nodes = append(o.nodes, n)
 			}
 			n.nets = append(n.nets, o)
+		case TailscaledEnv:
+			n.env = append(n.env, o)
+		case NodeOption:
+			if o == HostFirewall {
+				n.hostFW = true
+			} else {
+				if n.err == nil {
+					n.err = fmt.Errorf("unknown NodeOption %q", o)
+				}
+			}
 		default:
 			if n.err == nil {
 				n.err = fmt.Errorf("unknown AddNode option type %T", o)
@@ -79,6 +89,19 @@ func (c *Config) AddNode(opts ...any) *Node {
 	return n
 }
 
+// NodeOption is an option that can be passed to Config.AddNode.
+type NodeOption string
+
+const (
+	HostFirewall NodeOption = "HostFirewall"
+)
+
+// TailscaledEnv is а option that can be passed to Config.AddNode
+// to set an environment variable for tailscaled.
+type TailscaledEnv struct {
+	Key, Value string
+}
+
 // AddNetwork add a new network.
 //
 // The opts may be of the following types:
@@ -125,6 +148,9 @@ type Node struct {
 	err error
 	n   *node // nil until NewServer called
 
+	env    []TailscaledEnv
+	hostFW bool
+
 	// TODO(bradfitz): this is halfway converted to supporting multiple NICs
 	// but not done. We need a MAC-per-Network.
 
@@ -137,6 +163,14 @@ func (n *Node) MAC() MAC {
 	return n.mac
 }
 
+func (n *Node) Env() []TailscaledEnv {
+	return n.env
+}
+
+func (n *Node) HostFirewall() bool {
+	return n.hostFW
+}
+
 // Network returns the first network this node is connected to,
 // or nil if none.
 func (n *Node) Network() *Network {