cmd/tta, vnet: add host firewall, env var support, more tests

In particular, tests showing that #3824 works. But that test doesn't
actually work yet; it only gets a DERP connection. (why?)

Updates #13038

Change-Id: Ie1fd1b6a38d4e90fae7e72a0b9a142a95f0b2e8f
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

wgengine/magicsock/magicsock_linux.go

@@ -32,6 +32,9 @@ const (
 // Enable/disable using raw sockets to receive disco traffic.
 var debugDisableRawDisco = envknob.RegisterBool("TS_DEBUG_DISABLE_RAW_DISCO")
 
+// debugRawDiscoReads enables logging of raw disco reads.
+var debugRawDiscoReads = envknob.RegisterBool("TS_DEBUG_RAW_DISCO")
+
 // These are our BPF filters that we use for testing packets.
 var (
 	magicsockFilterV4 = []bpf.Instruction{
@@ -211,6 +214,9 @@ func (c *Conn) receiveDisco(pc net.PacketConn, isIPV6 bool) {
 	var buf [1500]byte
 	for {
 		n, src, err := pc.ReadFrom(buf[:])
+		if debugRawDiscoReads() {
+			c.logf("raw disco read from %v = (%v, %v)", src, n, err)
+		}
 		if errors.Is(err, net.ErrClosed) {
 			return
 		} else if err != nil {