From fa57a93d808a0017fc1ea84cb30fb3ed42399da4 Mon Sep 17 00:00:00 2001
From: Lanius-collaris <55432068+Lanius-collaris@users.noreply.github.com>
Date: Tue, 29 Apr 2025 08:50:45 +0800
Subject: [PATCH 1/2] intra/tcp.go: don't create TCP endpoint before Dial()
 returns

---
 intra/tcp.go | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/intra/tcp.go b/intra/tcp.go
index 4d8d7020..9d61ff87 100644
--- a/intra/tcp.go
+++ b/intra/tcp.go
@@ -186,14 +186,6 @@ func (h *tcpHandler) Proxy(gconn *netstack.GTCPConn, src, target netip.AddrPort)
 		return deny
 	}
 
-	// handshake; since we assume a duplex-stream from here on
-	if open, err = gconn.Establish(); !open {
-		log.E("tcp: %s connect err %v; %s => %s for %s", cid, err, src, target, uid)
-		clos(gconn)
-		h.queueSummary(smm.done(err))
-		return deny // == !open
-	}
-
 	if isAnyBasePid(pids) { // see udp.go:Connect
 		if h.dnsOverride(gconn, target, uid) {
 			// SocketSummary not sent; x.DNSSummary supercedes it
@@ -270,6 +262,11 @@ func (h *tcpHandler) handle(px ipn.Proxy, src net.Conn, boundSrc, target netip.A
 		return err
 	}
 
+	gconn := src.(*netstack.GTCPConn)
+	if open, err := gconn.Establish(); !open {
+		return err
+	}
+
 	core.Go("tcp.forward."+smm.ID, func() {
 		h.forward(src, rwext{dst, tcptimeout}, smm) // src always *gonet.TCPConn
 	})

From 8b5e5e6a9704586413a9cee0243e4df36fb41037 Mon Sep 17 00:00:00 2001
From: Lanius-collaris <55432068+Lanius-collaris@users.noreply.github.com>
Date: Tue, 13 May 2025 09:59:40 +0800
Subject: [PATCH 2/2] Update intra/tcp.go

---
 intra/tcp.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/intra/tcp.go b/intra/tcp.go
index 9d61ff87..d8e6a7c2 100644
--- a/intra/tcp.go
+++ b/intra/tcp.go
@@ -187,8 +187,17 @@ func (h *tcpHandler) Proxy(gconn *netstack.GTCPConn, src, target netip.AddrPort)
 	}
 
 	if isAnyBasePid(pids) { // see udp.go:Connect
-		if h.dnsOverride(gconn, target, uid) {
+		if target.IsValid() && h.resolver.IsDnsAddr(target) {
 			// SocketSummary not sent; x.DNSSummary supercedes it
+			if _, err := gconn.Establish(); err != nil {
+				clos(gconn)
+				h.queueSummary(smm.done(err))
+				return deny // == !open
+			}
+			// conn closed by the resolver
+			core.Gx(h.proto+".dns", func() {
+				h.resolver.Serve(h.proto, gconn, uid)
+			})
 			return allow
 		} // else not a dns request
 	} // if ipn.Exit then let it connect as-is (aka exit)
@@ -263,7 +272,8 @@ func (h *tcpHandler) handle(px ipn.Proxy, src net.Conn, boundSrc, target netip.A
 	}
 
 	gconn := src.(*netstack.GTCPConn)
-	if open, err := gconn.Establish(); !open {
+	if _, err := gconn.Establish(); err != nil {
+		clos(pc)
 		return err
 	}