util/linuxfw, feature/buildfeatures: add ts_omit_iptables to make IPTables optional

Updates #12614

Change-Id: Ic0eba982aa8468a55c63e1b763345f032a55b4e2
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

util/linuxfw/linuxfw.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 
 	"github.com/tailscale/netlink"
+	"tailscale.com/feature"
 	"tailscale.com/types/logger"
 )
 
@@ -180,3 +181,13 @@ func CheckIPRuleSupportsV6(logf logger.Logf) error {
 	defer netlink.RuleDel(rule)
 	return netlink.RuleAdd(rule)
 }
+
+var hookIPTablesCleanup feature.Hook[func(logger.Logf)]
+
+// IPTablesCleanUp removes all Tailscale added iptables rules.
+// Any errors that occur are logged to the provided logf.
+func IPTablesCleanUp(logf logger.Logf) {
+	if f, ok := hookIPTablesCleanup.GetOk(); ok {
+		f(logf)
+	}
+}