util/linuxfw: fix support for containers without IPv6 iptables filters (#11381)

There are container environments such as GitHub codespaces that have
partial IPv6 support - routing support is enabled at the kernel level,
but lacking IPv6 filter support in the iptables module.

In the specific example of the codespaces environment, this also has
pre-existing legacy iptables rules in the IPv4 tables, as such the
nascent firewall mode detection will always pick iptables.

We would previously fault trying to install rules to the filter table,
this catches that condition earlier, and disables IPv6 support under
these conditions.

Updates #5621
Updates #11344
Updates #11354

Signed-off-by: James Tucker <james@tailscale.com>

util/linuxfw/iptables_runner.go

@@ -73,12 +73,32 @@ func newIPTablesRunner(logf logger.Logf) (*iptablesRunner, error) {
 		if err != nil {
 			return nil, err
 		}
-		supportsV6NAT = checkSupportsV6NAT(ipt6, logf)
-		logf("v6nat = %v", supportsV6NAT)
+		supportsV6 = checkSupportsV6Filter(ipt6, logf)
+		if supportsV6 {
+			supportsV6NAT = checkSupportsV6NAT(ipt6, logf)
+		}
+		logf("v6filter = %v, v6nat = %v", supportsV6, supportsV6NAT)
 	}
 	return &iptablesRunner{ipt4, ipt6, supportsV6, supportsV6NAT}, nil
 }
 
+// checkSupportsV6Filter returns whether the system has a "filter" table in the
+// IPv6 tables. Some container environments such as GitHub codespaces have
+// limited local IPv6 support, and containers containing ip6tables, but do not
+// have kernel support for IPv6 filtering.
+// We will not enable IPv6 in these instances.
+func checkSupportsV6Filter(ipt *iptables.IPTables, logf logger.Logf) bool {
+	if ipt == nil {
+		return false
+	}
+	_, filterListErr := ipt.ListChains("filter")
+	if filterListErr == nil {
+		return true
+	}
+	logf("ipv6 unavailable due to missing filter table: %s", filterListErr)
+	return false
+}
+
 // checkSupportsV6NAT returns whether the system has a "nat" table in the
 // IPv6 netfilter stack.
 //