various: implement stateful firewalling on Linux (#12025)

Updates https://github.com/tailscale/corp/issues/19623 Change-Id: I7980e1fb736e234e66fa000d488066466c96ec85 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Co-authored-by: Andrew Dunham <andrew@du.nham.ca>
2024-05-06 15:22:17 -07:00
parent 5ef178fdca
commit c28f5767bf
17 changed files with 632 additions and 47 deletions
--- a/wgengine/router/router_test.go
+++ b/wgengine/router/router_test.go
@ -23,8 +23,8 @@ func mustCIDRs(ss ...string) []netip.Prefix {
 func TestConfigEqual(t *testing.T) {
 	testedFields := []string{
 		"LocalAddrs", "Routes", "LocalRoutes", "NewMTU",
-		"SubnetRoutes", "SNATSubnetRoutes", "NetfilterMode",
-		"NetfilterKind",
+		"SubnetRoutes", "SNATSubnetRoutes", "StatefulFiltering",
+		"NetfilterMode", "NetfilterKind",
 	}
 	configType := reflect.TypeFor[Config]()
 	configFields := []string{}
@ -125,6 +125,16 @@ func TestConfigEqual(t *testing.T) {
 			&Config{SNATSubnetRoutes: false},
 			true,
 		},
+		{
+			&Config{StatefulFiltering: false},
+			&Config{StatefulFiltering: true},
+			false,
+		},
+		{
+			&Config{StatefulFiltering: false},
+			&Config{StatefulFiltering: false},
+			true,
+		},

 		{
 			&Config{NetfilterMode: preftype.NetfilterOff},