net/netns: set the bypass socket mark on linux.

This allows tailscaled's own traffic to bypass Tailscale-managed routes,
so that things like tailscale-provided default routes don't break
tailscaled itself.

Progress on #144.

Signed-off-by: David Anderson <danderson@tailscale.com>

wgengine/magicsock/magicsock_test.go

@@ -26,6 +26,7 @@ import (
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/derp/derpmap"
+	"tailscale.com/net/netns"
 	"tailscale.com/net/stun/stuntest"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
@@ -35,6 +36,10 @@ import (
 	"tailscale.com/wgengine/tstun"
 )
 
+func init() {
+	netns.TestOnlySkipPrivilegedOps()
+}
+
 // WaitReady waits until the magicsock is entirely initialized and connected
 // to its home DERP server. This is normally not necessary, since magicsock
 // is intended to be entirely asynchronous, but it helps eliminate race

wgengine/router/router_linux.go

@@ -44,6 +44,9 @@ const (
 	tailscaleSubnetRouteMark = "0x10000"
 	// Packet was originated by tailscaled itself, and must not be
 	// routed over the Tailscale network.
+	//
+	// Keep this in sync with tailscaleBypassMark in
+	// net/netns/netns_linux.go.
 	tailscaleBypassMark = "0x20000"
 )
 

wgengine/watchdog_test.go

@@ -11,10 +11,15 @@ import (
 	"testing"
 	"time"
 
+	"tailscale.com/net/netns"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tstun"
 )
 
+func init() {
+	netns.TestOnlySkipPrivilegedOps()
+}
+
 func TestWatchdog(t *testing.T) {
 	t.Parallel()