TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-05-06 07:37:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

wgengine: return explicit lo0 for loopback addrs on sandboxed macOS (#15493)

Browse Source 
fixes tailscale/corp#27506

The source address link selection on sandboxed macOS doesn't deal
with loopback addresses correctly.  This adds an explicit check to ensure
we return the loopback interface for loopback addresses instead of the
default empty interface.

Specifically, this allows the dns resolver to route queries to a loopback
IP which is a common tactic for local DNS proxies.

Tested on both macos, macsys and tailscaled.  Forwarded requests to
127/8 all bound to lo0.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
This commit is contained in:
Jonathan Nobels 2025-04-01 13:20:46 -04:00 committed by GitHub
parent 886ab4fad4
commit fb47824d74
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
wgengine/userspace.go
View File

@ -1580,6 +1580,12 @@ type fwdDNSLinkSelector struct {
}
func (ls fwdDNSLinkSelector) PickLink(ip netip.Addr) (linkName string) {
// sandboxed macOS does not automatically bind to the loopback interface so
// we must be explicit about it.
if runtime.GOOS == "darwin" && ip.IsLoopback() {
return "lo0"
}
if ls.ue.isDNSIPOverTailscale.Load()(ip) {
return ls.tunName
}