Conditionally calculate allowed IP range for older devices, but keep using excludeRoute on API 33+

Signed-off-by: Pawloland <59684145+Pawloland@users.noreply.github.com>

Author: Pawloland

android/src/main/java/com/tailscale/ipn/App.kt

@@ -300,6 +300,8 @@ class App : UninitializedApp(), libtailscale.AppContext, ViewModelStoreOwner {
 
   override fun getOSVersion(): String = Build.VERSION.RELEASE
 
+  override fun getSDKInt(): Int = Build.VERSION.SDK_INT
+
   override fun isChromeOS(): Boolean {
     return packageManager.hasSystemFeature("android.hardware.type.pc")
   }

libtailscale/interfaces.go

@@ -36,6 +36,9 @@ type AppContext interface {
 	// GetOSVersion gets the Android version.
 	GetOSVersion() (string, error)
 
+	// GetSDKInt returns the Android SDK_INT (android.os.Build.VERSION.SDK_INT).
+	GetSDKInt() (int, error)
+
 	// GetDeviceName gets the Android device's user-set name, or hardware model name as a fallback.
 	GetDeviceName() (string, error)
 

libtailscale/net.go

@@ -13,6 +13,7 @@ import (
 	"syscall"
 
 	"github.com/tailscale/tailscale-android/libtailscale/ifaceparse"
+	rangescalc "github.com/tailscale/tailscale-android/libtailscale/ranges_calc"
 	"github.com/tailscale/wireguard-go/tun"
 	"tailscale.com/net/dns"
 	"tailscale.com/net/netmon"
@@ -117,36 +118,69 @@ func (b *backend) updateTUN(rcfg *router.Config, dcfg *dns.OSConfig) error {
 		b.logger.Logf("updateTUN: set nameservers")
 	}
 
-	// Calculate effective allowed routes (Routes minus LocalRoutes) and add them to the builder.
-	prefixesV4, prefixesV6 := newRangesCalc(rcfg.Routes, rcfg.LocalRoutes).calculate()
+	// Decide whether to use ExcludeRoute (API 33+) or compute included prefixes
+	// and pass them to AddRoute (older APIs).
+	useExclude := false
+	if sdk, err := b.appCtx.GetSDKInt(); err == nil && sdk >= 33 {
+		useExclude = true
+	}
 
-	for _, route := range prefixesV4 {
-		// Normalize route address; Builder.addRoute does not accept non-zero masked bits.
-		route = route.Masked()
-		if err := builder.AddRoute(route.Addr().String(), int32(route.Bits())); err != nil {
-			return err
+	if useExclude {
+		// For API 33+, use ExcludeRoute for LocalRoutes and AddRoute for Routes.
+		for _, route := range rcfg.Routes {
+			// Normalize route address; Builder.addRoute does not accept non-zero masked bits.
+			route = route.Masked()
+			if err := builder.AddRoute(route.Addr().String(), int32(route.Bits())); err != nil {
+				return err
+			}
 		}
-	}
-	for _, route := range prefixesV6 {
-		// Normalize route address; Builder.addRoute does not accept non-zero masked bits.
-		route = route.Masked()
-		if err := builder.AddRoute(route.Addr().String(), int32(route.Bits())); err != nil {
+
+		for _, route := range rcfg.LocalRoutes {
+			addr := route.Addr()
+			if addr.IsLoopback() {
+				continue // Skip the loopback addresses since VpnService throws an exception for those (both IPv4 and IPv6) - see https://android.googlesource.com/platform/frameworks/base/+/c741553/core/java/android/net/VpnService.java#303
+			}
+			route = route.Masked()
+			if err := builder.ExcludeRoute(route.Addr().String(), int32(route.Bits())); err != nil {
+				return err
+			}
+		}
+
+		b.logger.Logf("updateTUN: added %d routes (exclude-mode), localRoutes=%d", len(rcfg.Routes), len(rcfg.LocalRoutes))
+	} else {
+		// Older APIs: compute allowed-minus-disallowed prefixes and AddRoute them.
+		prefixesV4, prefixesV6, err := rangescalc.Calculate(rcfg.Routes, rcfg.LocalRoutes)
+		if err != nil {
+			b.logger.Logf("updateTUN: route calculation error: %v", err)
 			return err
 		}
-	}
 
-	b.logger.Logf(
-		"updateTUN: added routes: v4=%d v6=%d total=%d (input routes=%d, localRoutes=%d)",
-		len(prefixesV4),
-		len(prefixesV6),
-		len(prefixesV4)+len(prefixesV6),
-		len(rcfg.Routes),
-		len(rcfg.LocalRoutes),
-	)
-	b.logger.Logf("updateTUN: input routes: %v", rcfg.Routes)
-	b.logger.Logf("updateTUN: input local routes: %v", rcfg.LocalRoutes)
-	b.logger.Logf("updateTUN: effective routes v4: %v", prefixesV4)
-	b.logger.Logf("updateTUN: effective routes v6: %v", prefixesV6)
+		for _, route := range prefixesV4 {
+			route = route.Masked()
+			if err := builder.AddRoute(route.Addr().String(), int32(route.Bits())); err != nil {
+				return err
+			}
+		}
+		for _, route := range prefixesV6 {
+			route = route.Masked()
+			if err := builder.AddRoute(route.Addr().String(), int32(route.Bits())); err != nil {
+				return err
+			}
+		}
+
+		b.logger.Logf(
+			"updateTUN: added routes: v4=%d v6=%d total=%d (input routes=%d, localRoutes=%d)",
+			len(prefixesV4),
+			len(prefixesV6),
+			len(prefixesV4)+len(prefixesV6),
+			len(rcfg.Routes),
+			len(rcfg.LocalRoutes),
+		)
+		b.logger.Logf("updateTUN: input routes: %v", rcfg.Routes)
+		b.logger.Logf("updateTUN: input local routes: %v", rcfg.LocalRoutes)
+		b.logger.Logf("updateTUN: effective routes v4: %v", prefixesV4)
+		b.logger.Logf("updateTUN: effective routes v6: %v", prefixesV6)
+	}
 
 	for _, addr := range rcfg.LocalAddrs {
 		if err := builder.AddAddress(addr.Addr().String(), int32(addr.Bits())); err != nil {