diff --git a/net/netns/netns_linux.go b/net/netns/netns_linux.go index ec13e389e..d94920d57 100644 --- a/net/netns/netns_linux.go +++ b/net/netns/netns_linux.go @@ -65,9 +65,9 @@ func socketMarkWorks() bool { var forceBindToDevice = envknob.Bool("TS_FORCE_LINUX_BIND_TO_DEVICE") -// useSocketMark reports whether SO_MARK works. +// UseSocketMark reports whether SO_MARK is in use. // If it doesn't, we have to use SO_BINDTODEVICE on our sockets instead. -func useSocketMark() bool { +func UseSocketMark() bool { if forceBindToDevice { return false } @@ -103,7 +103,7 @@ func controlC(network, address string, c syscall.RawConn) error { var sockErr error err := c.Control(func(fd uintptr) { - if useSocketMark() { + if UseSocketMark() { sockErr = setBypassMark(fd) } else { sockErr = bindToDevice(fd) diff --git a/wgengine/magicsock/magicsock_linux.go b/wgengine/magicsock/magicsock_linux.go index ae2c42c52..71e39cacb 100644 --- a/wgengine/magicsock/magicsock_linux.go +++ b/wgengine/magicsock/magicsock_linux.go @@ -18,6 +18,7 @@ "golang.org/x/net/bpf" "golang.org/x/sys/unix" "tailscale.com/envknob" + "tailscale.com/net/netns" "tailscale.com/types/key" ) @@ -128,6 +129,11 @@ func (c *Conn) listenRawDisco(family string) (io.Closer, error) { return nil, errors.New("raw disco listening disabled by debug flag") } + // https://github.com/tailscale/tailscale/issues/5607 + if !netns.UseSocketMark() { + return nil, errors.New("raw disco listening disabled, SO_MARK unavailable") + } + var ( network string addr string