various: implement stateful firewalling on Linux (#12025)

Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>
2024-05-06 15:22:17 -07:00
parent 5ef178fdca
commit c28f5767bf
17 changed files with 632 additions and 47 deletions
--- a/wgengine/router/router.go
+++ b/wgengine/router/router.go
@ -88,9 +88,10 @@ type Config struct {
 	SubnetRoutes []netip.Prefix

 	// Linux-only things below, ignored on other platforms.
-	SNATSubnetRoutes bool                   // SNAT traffic to local subnets
-	NetfilterMode    preftype.NetfilterMode // how much to manage netfilter rules
-	NetfilterKind    string                 // what kind of netfilter to use (nftables, iptables)
+	SNATSubnetRoutes  bool                   // SNAT traffic to local subnets
+	StatefulFiltering bool                   // Apply stateful filtering to inbound connections
+	NetfilterMode     preftype.NetfilterMode // how much to manage netfilter rules
+	NetfilterKind     string                 // what kind of netfilter to use (nftables, iptables)
 }

 func (a *Config) Equal(b *Config) bool {