From aba683bb6144ac1b54df9d0ee7ad204f13b98524 Mon Sep 17 00:00:00 2001
From: Charlotte Brandhorst-Satzkorn
 <46385858+catzkorn@users.noreply.github.com>
Date: Fri, 11 Aug 2023 16:03:01 -0700
Subject: [PATCH] cmd/tailscale: rebind magicsock.Conn onConnect (#126)

We have been getting into routing loops due to the timing of when we
bind sockets on starting the tailscale app. At this point, we do
not have access to `VpnService.protect()` and are unable to protect
the magicsock sockets, which causes a routing loop issue until we
forcibly rebind about 10 minutes into the service being started.

This change causes a rebind when the service is started, which restores
connectivity in cases where the socket was unprotected.

Updates tailscale/corp#13814
---
 cmd/tailscale/main.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/cmd/tailscale/main.go b/cmd/tailscale/main.go
index 7a2ce96..ffc16c8 100644
--- a/cmd/tailscale/main.go
+++ b/cmd/tailscale/main.go
@@ -498,6 +498,17 @@ func (a *App) runBackend() error {
 						return nil // even on error. see big TODO above.
 					})
 				})
+				log.Printf("onConnect: rebind required")
+				// TODO(catzkorn): When we start the android application
+				// we bind sockets before we have access to the VpnService.protect()
+				// function which is needed to avoid routing loops. When we activate
+				// the service we get access to the protect, but do not retrospectively
+				// protect the sockets already opened, which breaks connectivity.
+				// As a temporary fix, we rebind and protect the magicsock.Conn on connect
+				// which restores connectivity.
+				// See https://github.com/tailscale/corp/issues/13814
+				b.backend.DebugRebind()
+
 				service = s
 				return nil
 			})