util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux (#10370)

* util/linuxfw, wgengine: allow ingress to magicsock UDP port on Linux

Updates #9084.

Currently, we have to tell users to manually open UDP ports on Linux when
certain firewalls (like ufw) are enabled. This change automates the process of
adding and updating those firewall rules as magicsock changes what port it
listens on.

Signed-off-by: Naman Sood <mail@nsood.in>

util/linuxfw/iptables_runner.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"net/netip"
 	"os/exec"
+	"strconv"
 	"strings"
 
 	"github.com/coreos/go-iptables/iptables"
@@ -236,7 +237,7 @@ func (i *iptablesRunner) AddBase(tunname string) error {
 	return nil
 }
 
-// addBase4 adds some basic IPv6 processing rules to be
+// addBase4 adds some basic IPv4 processing rules to be
 // supplemented by later calls to other helpers.
 func (i *iptablesRunner) addBase4(tunname string) error {
 	// Only allow CGNAT range traffic to come from tailscale0. There
@@ -311,7 +312,7 @@ func (i *iptablesRunner) ClampMSSToPMTU(tun string, addr netip.Addr) error {
 	return table.Append("mangle", "FORWARD", "-o", tun, "-p", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
 }
 
-// addBase6 adds some basic IPv4 processing rules to be
+// addBase6 adds some basic IPv6 processing rules to be
 // supplemented by later calls to other helpers.
 func (i *iptablesRunner) addBase6(tunname string) error {
 	// TODO: only allow traffic from Tailscale's ULA range to come
@@ -437,6 +438,63 @@ func (i *iptablesRunner) DelSNATRule() error {
 	return nil
 }
 
+// buildMagicsockPortRule generates the string slice containing the arguments
+// to describe a rule accepting traffic on a particular port to iptables. It is
+// separated out here to avoid repetition in AddMagicsockPortRule and
+// RemoveMagicsockPortRule, since it is important that the same rule is passed
+// to Append() and Delete().
+func buildMagicsockPortRule(port uint16) []string {
+	return []string{"-p", "udp", "--dport", strconv.FormatUint(uint64(port), 10), "-j", "ACCEPT"}
+}
+
+// AddMagicsockPortRule adds a rule to iptables to allow incoming traffic on
+// the specified UDP port, so magicsock can accept incoming connections.
+// network must be either "udp4" or "udp6" - this determines whether the rule
+// is added for IPv4 or IPv6.
+func (i *iptablesRunner) AddMagicsockPortRule(port uint16, network string) error {
+	var ipt iptablesInterface
+	switch network {
+	case "udp4":
+		ipt = i.ipt4
+	case "udp6":
+		ipt = i.ipt6
+	default:
+		return fmt.Errorf("unsupported network %s", network)
+	}
+
+	args := buildMagicsockPortRule(port)
+
+	if err := ipt.Append("filter", "ts-input", args...); err != nil {
+		return fmt.Errorf("adding %v in filter/ts-input: %w", args, err)
+	}
+
+	return nil
+}
+
+// DelMagicsockPortRule removes a rule added by AddMagicsockPortRule to accept
+// incoming traffic on a particular UDP port.
+// network must be either "udp4" or "udp6" - this determines whether the rule
+// is removed for IPv4 or IPv6.
+func (i *iptablesRunner) DelMagicsockPortRule(port uint16, network string) error {
+	var ipt iptablesInterface
+	switch network {
+	case "udp4":
+		ipt = i.ipt4
+	case "udp6":
+		ipt = i.ipt6
+	default:
+		return fmt.Errorf("unsupported network %s", network)
+	}
+
+	args := buildMagicsockPortRule(port)
+
+	if err := ipt.Delete("filter", "ts-input", args...); err != nil {
+		return fmt.Errorf("removing %v in filter/ts-input: %w", args, err)
+	}
+
+	return nil
+}
+
 // IPTablesCleanup removes all Tailscale added iptables rules.
 // Any errors that occur are logged to the provided logf.
 func IPTablesCleanup(logf logger.Logf) {