From 055117ad45076672ea6faae258f5a9a0b1c90d30 Mon Sep 17 00:00:00 2001
From: James Tucker <james@tailscale.com>
Date: Fri, 8 Mar 2024 15:46:21 -0800
Subject: [PATCH] util/linuxfw: fix support for containers without IPv6
 iptables filters (#11381)

There are container environments such as GitHub codespaces that have
partial IPv6 support - routing support is enabled at the kernel level,
but lacking IPv6 filter support in the iptables module.

In the specific example of the codespaces environment, this also has
pre-existing legacy iptables rules in the IPv4 tables, as such the
nascent firewall mode detection will always pick iptables.

We would previously fault trying to install rules to the filter table,
this catches that condition earlier, and disables IPv6 support under
these conditions.

Updates #5621
Updates #11344
Updates #11354

Signed-off-by: James Tucker <james@tailscale.com>
---
 util/linuxfw/iptables_runner.go | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/util/linuxfw/iptables_runner.go b/util/linuxfw/iptables_runner.go
index 117a4fb92..090356798 100644
--- a/util/linuxfw/iptables_runner.go
+++ b/util/linuxfw/iptables_runner.go
@@ -73,12 +73,32 @@ func newIPTablesRunner(logf logger.Logf) (*iptablesRunner, error) {
 		if err != nil {
 			return nil, err
 		}
-		supportsV6NAT = checkSupportsV6NAT(ipt6, logf)
-		logf("v6nat = %v", supportsV6NAT)
+		supportsV6 = checkSupportsV6Filter(ipt6, logf)
+		if supportsV6 {
+			supportsV6NAT = checkSupportsV6NAT(ipt6, logf)
+		}
+		logf("v6filter = %v, v6nat = %v", supportsV6, supportsV6NAT)
 	}
 	return &iptablesRunner{ipt4, ipt6, supportsV6, supportsV6NAT}, nil
 }
 
+// checkSupportsV6Filter returns whether the system has a "filter" table in the
+// IPv6 tables. Some container environments such as GitHub codespaces have
+// limited local IPv6 support, and containers containing ip6tables, but do not
+// have kernel support for IPv6 filtering.
+// We will not enable IPv6 in these instances.
+func checkSupportsV6Filter(ipt *iptables.IPTables, logf logger.Logf) bool {
+	if ipt == nil {
+		return false
+	}
+	_, filterListErr := ipt.ListChains("filter")
+	if filterListErr == nil {
+		return true
+	}
+	logf("ipv6 unavailable due to missing filter table: %s", filterListErr)
+	return false
+}
+
 // checkSupportsV6NAT returns whether the system has a "nat" table in the
 // IPv6 netfilter stack.
 //