From 0ce67ccda6f01c4837a638cdc558c4e8b6f797fb Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Wed, 20 Apr 2022 10:14:07 -0700
Subject: [PATCH] wgengine/router: make supportsV6NAT check catch more cases

Updates #4459

Change-Id: Ic27621569d2739298e652769d10e38608c6012be
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 wgengine/router/router_linux.go | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/wgengine/router/router_linux.go b/wgengine/router/router_linux.go
index c206875c2..687cc411b 100644
--- a/wgengine/router/router_linux.go
+++ b/wgengine/router/router_linux.go
@@ -1514,8 +1514,14 @@ func supportsV6NAT() bool {
 		// Can't read the file. Assume SNAT works.
 		return true
 	}
-
-	return bytes.Contains(bs, []byte("nat\n"))
+	if bytes.Contains(bs, []byte("nat\n")) {
+		return true
+	}
+	// In nftables mode, that proc file will be empty. Try another thing:
+	if exec.Command("modprobe", "ip6table_nat").Run() == nil {
+		return true
+	}
+	return false
 }
 
 func checkIPRuleSupportsV6(logf logger.Logf) error {