wgengine: return explicit lo0 for loopback addrs on sandboxed macOS

fixes tailscale/tailscale#TODO The source address link selection on sandboxed macOS doesn't deal with loopback addresses correctly. This adds an explicit check to ensure we return the loopback interface for loopback addresses instead of the default empty interface. Specifcially, this allows the dns resolver to route queries to a loopback IP which is a common tactic for local DNS proxies.
2025-03-27 19:43:01 +00:00 · 2025-03-24 15:35:18 -04:00 · 2025-03-24 15:35:18 -04:00 · 82ca894ff5
commit 82ca894ff5
parent 156cd53e77
1 changed files with 5 additions and 0 deletions
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@ -1580,6 +1580,11 @@ type fwdDNSLinkSelector struct {
 }

 func (ls fwdDNSLinkSelector) PickLink(ip netip.Addr) (linkName string) {
+	// sandboxed macOS needs some extra hand-holding for loopback addresses.
+	if ip.IsLoopback() && version.IsSandboxedMacOS() {
+		return "lo0"
+	}
+
 	if ls.ue.isDNSIPOverTailscale.Load()(ip) {
 		return ls.tunName
 	}