util/linuxfw,wgengine/router: allow incoming CGNAT range traffic with nodeattr

Clients with the newly added node attribute
`"disable-linux-cgnat-drop-rule"` will not automatically drop inbound
traffic on non-Tailscale network interfaces with the source IP in the
CGNAT IP range. This is an initial proof-of-concept for enabling
connectivity with off-Tailnet CGNAT endpoints.

Fixes tailscale/corp#36270.

Signed-off-by: Naman Sood <mail@nsood.in>

tstest/natlab/vnet/conf.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/google/gopacket/layers"
 	"github.com/google/gopacket/pcapgo"
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/must"
 	"tailscale.com/util/set"
@@ -137,6 +138,8 @@ func (c *Config) AddNode(opts ...any) *Node {
 			}
 		case MAC:
 			n.mac = o
+		case tailcfg.NodeCapMap:
+			n.capMap = o
 		default:
 			if n.err == nil {
 				n.err = fmt.Errorf("unknown AddNode option type %T", o)
@@ -225,6 +228,7 @@ type Node struct {
 	preICMPPing     bool
 	verboseSyslog   bool
 	dontJoinTailnet bool
+	capMap          tailcfg.NodeCapMap
 
 	// TODO(bradfitz): this is halfway converted to supporting multiple NICs
 	// but not done. We need a MAC-per-Network.
@@ -318,6 +322,12 @@ func (n *Node) ShouldJoinTailnet() bool {
 	return !n.dontJoinTailnet
 }
 
+// WantCapMap returns the [tailcfg.NodeCapMap] that control should send down to
+// this node, if any.
+func (n *Node) WantCapMap() tailcfg.NodeCapMap {
+	return n.capMap
+}
+
 // IsV6Only reports whether this node is only connected to IPv6 networks.
 func (n *Node) IsV6Only() bool {
 	for _, net := range n.nets {