util/linuxfw,wgengine/router: allow incoming CGNAT range traffic with nodeattr

Clients with the newly added node attribute
`"disable-linux-cgnat-drop-rule"` will not automatically drop inbound
traffic on non-Tailscale network interfaces with the source IP in the
CGNAT IP range. This is an initial proof-of-concept for enabling
connectivity with off-Tailnet CGNAT endpoints.

Fixes tailscale/corp#36270.

Signed-off-by: Naman Sood <mail@nsood.in>

wgengine/router/router.go

@@ -132,10 +132,11 @@ type Config struct {
 	SubnetRoutes []netip.Prefix
 
 	// Linux-only things below, ignored on other platforms.
-	SNATSubnetRoutes  bool                   // SNAT traffic to local subnets
-	StatefulFiltering bool                   // Apply stateful filtering to inbound connections
-	NetfilterMode     preftype.NetfilterMode // how much to manage netfilter rules
-	NetfilterKind     string                 // what kind of netfilter to use ("nftables", "iptables", or "" to auto-detect)
+	SNATSubnetRoutes    bool                   // SNAT traffic to local subnets
+	StatefulFiltering   bool                   // Apply stateful filtering to inbound connections
+	NetfilterMode       preftype.NetfilterMode // how much to manage netfilter rules
+	NetfilterKind       string                 // what kind of netfilter to use ("nftables", "iptables", or "" to auto-detect)
+	RemoveCGNATDropRule bool                   // whether to remove the firewall rule to drop non-Tailscale inbound traffic from CGNAT IPs
 }
 
 func (a *Config) Equal(b *Config) bool {