From c85cdabdfc4959d4d2c43b3cf56b2950fbb908d4 Mon Sep 17 00:00:00 2001
From: Jordan Whited <jordan@tailscale.com>
Date: Thu, 21 Aug 2025 13:59:23 -0700
Subject: [PATCH] net/udprelay: set ICMP err immunity sock opt (#16918)

Updates tailscale/corp#31506

Signed-off-by: Jordan Whited <jordan@tailscale.com>
---
 net/udprelay/server.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/udprelay/server.go b/net/udprelay/server.go
index 8aea8ae55..123813c16 100644
--- a/net/udprelay/server.go
+++ b/net/udprelay/server.go
@@ -458,7 +458,7 @@ func (c *singlePacketConn) WriteBatchTo(buffs [][]byte, addr netip.AddrPort, gen
 // reducing packet loss around crypto/syscall-induced delay.
 const socketBufferSize = 7 << 20
 
-func trySetSocketBuffer(pconn nettype.PacketConn, logf logger.Logf) {
+func trySetUDPSocketOptions(pconn nettype.PacketConn, logf logger.Logf) {
 	directions := []sockopts.BufferDirection{sockopts.ReadDirection, sockopts.WriteDirection}
 	for _, direction := range directions {
 		errForce, errPortable := sockopts.SetBufferSize(pconn, direction, socketBufferSize)
@@ -469,6 +469,11 @@ func trySetSocketBuffer(pconn nettype.PacketConn, logf logger.Logf) {
 			logf("failed to set UDP %v buffer size to %d: %v", direction, socketBufferSize, errPortable)
 		}
 	}
+
+	err := sockopts.SetICMPErrImmunity(pconn)
+	if err != nil {
+		logf("failed to set ICMP error immunity: %v", err)
+	}
 }
 
 // listenOn binds an IPv4 and IPv6 socket to port. We consider it successful if
@@ -494,7 +499,7 @@ func (s *Server) listenOn(port int) error {
 				break
 			}
 		}
-		trySetSocketBuffer(uc, s.logf)
+		trySetUDPSocketOptions(uc, s.logf)
 		// TODO: set IP_PKTINFO sockopt
 		_, boundPortStr, err := net.SplitHostPort(uc.LocalAddr().String())
 		if err != nil {