From 36bf277560e07e094b57113c461bfc9f91cddca8 Mon Sep 17 00:00:00 2001
From: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
Date: Fri, 11 Aug 2023 14:30:40 -0700
Subject: [PATCH] cmd/tailscale: rebind magicsock.Conn onConnect

We have been getting into routing loops due to the timing of when we
bind sockets on starting the tailscale app. At this point, we do
not have access to `VpnService.protect()` and are unable to protect
the magicsock sockets, which causes a routing loop issue until we
forcibly rebind about 10 minutes into the service being started.

This change causes a rebind when the service is started, which restores
connectivity in cases where the socket was unprotected.

Updates tailscale/corp#13814
---
 cmd/tailscale/main.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/cmd/tailscale/main.go b/cmd/tailscale/main.go
index 7a2ce96..ffc16c8 100644
--- a/cmd/tailscale/main.go
+++ b/cmd/tailscale/main.go
@@ -498,6 +498,17 @@ func (a *App) runBackend() error {
 						return nil // even on error. see big TODO above.
 					})
 				})
+				log.Printf("onConnect: rebind required")
+				// TODO(catzkorn): When we start the android application
+				// we bind sockets before we have access to the VpnService.protect()
+				// function which is needed to avoid routing loops. When we activate
+				// the service we get access to the protect, but do not retrospectively
+				// protect the sockets already opened, which breaks connectivity.
+				// As a temporary fix, we rebind and protect the magicsock.Conn on connect
+				// which restores connectivity.
+				// See https://github.com/tailscale/corp/issues/13814
+				b.backend.DebugRebind()
+
 				service = s
 				return nil
 			})