net/netns: set the bypass socket mark on linux.

This allows tailscaled's own traffic to bypass Tailscale-managed routes, so that things like tailscale-provided default routes don't break tailscaled itself. Progress on #144. Signed-off-by: David Anderson <danderson@tailscale.com>
2025-10-08 23:49:56 +00:00 · 2020-05-29 00:43:15 +00:00
parent 3fa58303d0
commit 5114df415e
8 changed files with 92 additions and 8 deletions
--- a/net/netns/netns.go
+++ b/net/netns/netns.go
@@ -13,9 +13,12 @@ package netns

 import (
 	"net"
-	"syscall"
+
+	"tailscale.com/syncs"
 )

+var skipPrivileged syncs.AtomicBool
+
 // Listener returns a new net.Listener with its Control hook func
 // initialized as necessary to run in logical network namespace that
 // doesn't route back into Tailscale.
@@ -30,11 +33,9 @@ func Dialer() *net.Dialer {
 	return &net.Dialer{Control: control}
 }

-// control marks c as necessary to dial in a separate network namespace.
-//
-// It's intentionally the same signature as net.Dialer.Control
-// and net.ListenConfig.Control.
-func control(network, address string, c syscall.RawConn) error {
-	// TODO: implement
-	return nil
+// TestOnlySkipPrivilegedOps disables any behavior in this package
+// that requires root or other elevated privileges. It's used only in
+// tests, and using it definitely breaks some Tailscale functionality.
+func TestOnlySkipPrivilegedOps() {
+	skipPrivileged.Set(true)
 }