net/netns, version: enable interface binding for loopback addrs on sandboxed macosjonathan/dns_loopback

fixes tailscale/corp#27506

The bootstrapDNS code is unable to resolve log and derp endpoints when if the forward
dns is a local loopback addr while the tunnel is running.

Sandboxed macos requires that we bind to loopback addresses explicitly. tailscaled on mac must not.

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>

1 files changed, 4 insertions, 2 deletions

diff --git a/net/netns/netns_darwin.go b/net/netns/netns_darwin.go
index ac5e89d76..794b9b864 100644
--- a/net/netns/netns_darwin.go
+++ b/net/netns/netns_darwin.go
@@ -21,6 +21,7 @@ import (
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/logger"
+	"tailscale.com/version"
 )
 
 func control(logf logger.Logf, netMon *netmon.Monitor) func(network, address string, c syscall.RawConn) error {
@@ -38,8 +39,9 @@ var errInterfaceStateInvalid = errors.New("interface state invalid")
 // It's intentionally the same signature as net.Dialer.Control
 // and net.ListenConfig.Control.
 func controlLogf(logf logger.Logf, netMon *netmon.Monitor, network, address string, c syscall.RawConn) error {
-	if isLocalhost(address) {
-		// Don't bind to an interface for localhost connections.
+	// Don't bind to an interface for localhost connections for tailscaled.  We must still bind for
+	// the network extension variants.
+	if version.IsMacOSTailscaled() && isLocalhost(address) {
 		return nil
 	}