From a664aac877c46f4f8778a19a0673725c525ec7d5 Mon Sep 17 00:00:00 2001
From: David Anderson <danderson@tailscale.com>
Date: Wed, 11 Nov 2020 15:05:15 -0800
Subject: [PATCH] wgengine/router: disable IPv6 if v6 policy routing is
 unavailable.

Fixes #895.

Signed-off-by: David Anderson <danderson@tailscale.com>
---
 wgengine/router/router_linux.go | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index b8732cbae..e0db5369d 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -1023,6 +1023,20 @@ func supportsV6() bool {
 		return false
 	}
 
+	// Older kernels don't support IPv6 policy routing.
+	bs, err = ioutil.ReadFile("/proc/sys/net/ipv6/conf/all/disable_policy")
+	if err != nil {
+		// Absent knob means policy routing is unsupported.
+		return false
+	}
+	disabled, err = strconv.ParseBool(strings.TrimSpace(string(bs)))
+	if err != nil {
+		return false
+	}
+	if disabled {
+		return false
+	}
+
 	// Some distros ship ip6tables separately from iptables.
 	if _, err := exec.LookPath("ip6tables"); err != nil {
 		return false