Detect which iptables to use in containers

[bradfitz]

[we have copies of this bug scattered about as comments on other bugs, so creating one tracking bug]

On Linux, when Tailscale is running in a container, we should ask the kernel directly whether iptables-legacy or iptables-nft is the right interface and use the right binary, regardless of what the "iptables" binary is a symlink to on disk.

And if the right binary is not available, fail loudly.

That is, the host environment outside of the container could be using iptables-legacy vs iptables-nft and even if the host's Debian alternatives or equivalent is correct, the container's alternatives might be wrong.

This manifests in lots of weird iptables errors.

@andrew-d has done all the hard work for this bug already. Filing this bug to cross-reference other bugs against.

[zyclonite]

what about creating an additional container tag like -nft or have an env to toggle?

i am running on fedora coreos and nftables by default so i tried out the following
https://github.com/zyclonite/tailscale-docker/blob/55b0edd41d406ac19aa994efb04f8afe496c8b3f/Dockerfile
and this seems to work all fine

[DentonGentry]

It should be possible to detect this automatically, and much of the implementation to do so already exists. Requiring the user to use the correct container tag shouldn't be necessary.

[zyclonite]

on coreos for example just detecting that could be tricky as both variants exist... checking for existing rules on one of them would also be quite a hack...
i would still prefer a way to have some toggle to force the container