util/linuxfw,wgengine/router: allow incoming CGNAT range traffic with nodeattr

Clients with the newly added node attribute
`"disable-linux-cgnat-drop-rule"` will not automatically drop inbound
traffic on non-Tailscale network interfaces with the source IP in the
CGNAT IP range. This is an initial proof-of-concept for enabling
connectivity with off-Tailnet CGNAT endpoints.

Fixes tailscale/corp#36270.

Signed-off-by: Naman Sood <mail@nsood.in>

tstest/integration/nat/nat_test.go

@@ -197,6 +197,22 @@ func sameLAN(c *vnet.Config) *vnet.Node {
 	return c.AddNode(nw)
 }
 
+func sameLANNoDropCGNAT(c *vnet.Config) *vnet.Node {
+	nw := c.FirstNetwork()
+	if nw == nil {
+		return nil
+	}
+	if !nw.CanTakeMoreNodes() {
+		return nil
+	}
+	return c.AddNode(
+		nw,
+		tailcfg.NodeCapMap{
+			tailcfg.NodeAttrDisableLinuxCGNATDropRule: nil,
+		},
+	)
+}
+
 func one2one(c *vnet.Config) *vnet.Node {
 	n := c.NumNodes() + 1
 	return c.AddNode(c.AddNetwork(
@@ -437,6 +453,11 @@ func (nt *natTest) setupTest(ctx context.Context, addNode ...addNodeFunc) (nodes
 					return fmt.Errorf("%v status: %w", node, err)
 				}
 
+				if capMap := node.WantCapMap(); capMap != nil {
+					nt.tb.Logf("using capmap for %s: %+v", node.String(), capMap)
+					nt.vnet.ControlServer().SetNodeCapMap(st.Self.PublicKey, capMap)
+				}
+
 				if st.BackendState != "Running" {
 					return fmt.Errorf("%v state = %q", node, st.BackendState)
 				}
@@ -788,11 +809,8 @@ func cgnatNoTailnet(c *vnet.Config) *vnet.Node {
 }
 
 func TestNonTailscaleCGNATEndpoint(t *testing.T) {
-	if !*knownBroken {
-		t.Skip("skipping known-broken test; set --known-broken to run; see https://github.com/tailscale/corp/issues/36270")
-	}
 	nt := newNatTest(t)
-	if !nt.runHostConnectivityTest(cgnatNoTailnet, sameLAN) {
+	if !nt.runHostConnectivityTest(cgnatNoTailnet, sameLANNoDropCGNAT) {
 		t.Fatalf("could not ping")
 	}
 }