FR: Fine grained firewall rules for Tailscale when using OneCGNATRoute

[Infinidoge]

What is the issue?

Relevant to #1381, Tailscale does not respect the OneCGNATRoute ACL setting. Tailscale should specifically setup firewall rules for individual IP addresses, as described in the documentation, however instead it firewalls off the entire CGNAT. As described in the linked issue, this is disruptive. According to that section, this should be what is done by default on platforms that are not macOS, however this is not the case in practice.

As a personal practical solution, I ended up patching Tailscale to redefine the CGNAT so it would take up less space in the CGNAT.

(Shout-out to the Tailscale folks attending the SoCal Linux Expo for reminding me to make a bug report!)

Steps to reproduce

1. Use Tailscale on Linux
2. Observe that /32 addresses are not allocated in the firewall, and instead a /10 across the whole CGNAT is firewalled

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

NixOS 24.05

Tailscale version

1.62.0

Other software

I am forcing Tailscale to use nftables through the debug override. As a fix to the issue, I patched Tailscale as described, with my commit here: https://github.com/Infinidoge/universe/commit/45e9fc405cf92a2f97b72e4b49a327377109a91d

Bug report

BUG-0bef8c3972ea6baa49c6ccb9d83d7872a6732d4317420fa0b199a1e4db397491-20240322015230Z-bf32dbc4ced60b44

[Infinidoge]

From a comment after mine in the mentioned issue, it is likely that I misunderstood what the feature was for. Assuming so, this issue might be recreated as a request for fine-grained firewall rules.