net/netutil: add function to check rp_filter value

[andrew-d]

Updates #4432

Signed-off-by: Andrew Dunham andrew@du.nham.ca
Change-Id: Ifc332a5747fc1feffdbb87437308cf8ecb21b0b0

[andrew-d]

This is what it looks like on my local machine:

$ sudo curl -fsS --unix-socket /tmp/tailscaled.usermode.sock http://localhost/localapi/v0/check-ip-forwarding | jq -r .Warning
IPv6 forwarding is disabled.
Subnet routes and exit nodes may not work correctly.
See https://tailscale.com/kb/1104/enable-ip-forwarding/
Interface docker0 has strict reverse-path filtering enabled
Subnet routes and exit nodes may not work correctly.

[andrew-d]

I'm no expert on this, but I think this may not be sufficient; we may want to actually run this on all calls to tailscale up, not just when we're advertising an exit node (which is when we currently check IP forwarding). Thoughts? I can pull this out into a new local endpoint without too much difficulty, if so?

[danderson]

Got an example of a network setup where RPF breaks exit nodes? It's one of the few configurations I can think of where RPF strictness shouldn't matter.

[andrew-d]

@danderson - I think this is me being bad at reading comprehension; strict rp_filter breaks clients, not exit nodes. Pushed a change to have this run on all calls to tailscale up instead; thoughts?

[ramyfication]

Thanks for cc'ing me on this PR. I'm not familiar enough with this to give a proper review, but I've left some minor comments.

[ncfavier]

This would also need to check for an iptables or nftables rule invoking the rpfilter netfilter module; AFAICT the rp_filter sysctl is deprecated.

There is hope of fixing the underlying problem so that we don't need a warning though, see discussions in #3310 (comment) and #4432.

[andrew-d]

Force-pushed over this to just implement the "check for rp_filter" functionality, and will defer using it to another PR.