checkIPv6 checks whether the system appears to have a working IPv6 network stack.

DebugNetfilter prints debug information about iptables rules to the provided log function.

DebugNetfilter prints debug information about netfilter rules to the provided log function.

IPTablesCleanUp removes all Tailscale added iptables rules.

New creates a NetfilterRunner, auto-detecting whether to use nftables or iptables.

NfTablesCleanUp removes all Tailscale added nftables rules.

Packet was originated by tailscaled itself, and must not be routed over the Tailscale network.

The following bits are added to packet marks for Tailscale use.

The mask for reading/writing the 'firewall mask' bits on a packet.

The following bits are added to packet marks for Tailscale use.

Packet is from Tailscale and to a subnet route destination, so is allowed to be routed through this machine.

The following bits are added to packet marks for Tailscale use.

// PortMap is the port mapping for a service rule.

NetfilterRunner abstracts helpers to run netfilter commands.

MatchDecision is the decision made by the firewall for a packet matched by a rule.