ipn/ipnlocal: show warnings about reverse path filtering

[andrew-d]

Updates tailscale/tailscale#4432 Depends on tailscale/tailscale-www#1656

Change-Id: I519656b70d07a61b9308aad196fba982fc3ca8fc Signed-off-by: Andrew Dunham [email protected]

[andrew-d]

This is what it looks like on my local machine:

$ sudo curl -fsS --unix-socket /tmp/tailscaled.usermode.sock http://localhost/localapi/v0/check-ip-forwarding | jq -r .Warning
IPv6 forwarding is disabled.
Subnet routes and exit nodes may not work correctly.
See https://tailscale.com/kb/1104/enable-ip-forwarding/
Interface docker0 has strict reverse-path filtering enabled
Subnet routes and exit nodes may not work correctly.

[andrew-d]

I'm no expert on this, but I think this may not be sufficient; we may want to actually run this on all calls to tailscale up, not just when we're advertising an exit node (which is when we currently check IP forwarding). Thoughts? I can pull this out into a new local endpoint without too much difficulty, if so?

[andrew-d]

@danderson - I think this is me being bad at reading comprehension; strict rp_filter breaks clients, not exit nodes. Pushed a change to have this run on all calls to tailscale up instead; thoughts?

[ncfavier]

This would also need to check for an iptables or nftables rule invoking the rpfilter netfilter module; AFAICT the rp_filter sysctl is deprecated.

There is hope of fixing the underlying problem so that we don't need a warning though, see discussions in https://github.com/tailscale/tailscale/issues/3310#issuecomment-1271412885 and https://github.com/tailscale/tailscale/issues/4432.

[andrew-d]

Force-pushed over this to just implement the "check for rp_filter" functionality, and will defer using it to another PR.