enable IP forwarding via entrypoint (fixes IPv6 subnet routes)

tailscaled does not reliably enable IPv6 forwarding inside a container
network namespace ('IPv6 forwarding is disabled'), so advertised IPv6
subnet routes silently fail. Add a tiny entrypoint.sh that sets
net.ipv4.ip_forward and net.ipv6.conf.all.forwarding (writable inside a
RouterOS container netns), then exec's tailscaled. Built in the builder
stage so it stays in the single /usr/local/bin COPY layer.

Verified: privileged run flips v6 forwarding 0->1 and exec's tailscaled
with CMD args intact.

Dockerfile

@@ -166,7 +166,8 @@ RUN mkdir -p /out/usrlocalbin && \
 # overlayfs single-copy property). `exec` keeps tailscaled as PID 1.
 RUN printf '%s\n' \
       '#!/bin/sh' \
-      '# Enable IPv4/IPv6 forwarding. Required for advertised subnet routes and' \
+      '# Enable IPv4/IPv6 forwarding (best-effort; sysctls are writable inside' \
+      '# a RouterOS container netns). Required for advertised subnet routes and' \
       '# exit-node functionality.' \
       'for f in /proc/sys/net/ipv4/ip_forward /proc/sys/net/ipv6/conf/all/forwarding; do' \
       '  if [ -w "$f" ]; then echo 1 > "$f" 2>/dev/null || echo "warn: could not write $f"; fi' \

docs/USAGE.md

@@ -120,6 +120,12 @@ The node now appears in your Tailscale admin console. Approve the advertised
 routes / exit node there. Because the auth state is written to the persisted
 `tailscaled.state`, you only do this once — it survives reboots and updates.
 
+> **IP forwarding** (IPv4 and IPv6) is enabled automatically by the container's
+> entrypoint, so advertised subnet routes and exit-node traffic work without any
+> extra `sysctl`/`/container` configuration. (IPv6 forwarding in particular is
+> not reliably enabled by `tailscaled` itself inside a container network
+> namespace, so the entrypoint sets it explicitly.)
+
 ### 6. Enable automatic updates
 
 First, edit the `CONFIG` block at the top of `routeros/update-tailscale.rsc` if