net/netns: set the bypass socket mark on linux.

This allows tailscaled's own traffic to bypass Tailscale-managed routes,
so that things like tailscale-provided default routes don't break
tailscaled itself.

Progress on #144.

Signed-off-by: David Anderson <danderson@tailscale.com>

net/netcheck/netcheck_test.go

@@ -16,11 +16,16 @@ import (
 	"time"
 
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/netns"
 	"tailscale.com/net/stun"
 	"tailscale.com/net/stun/stuntest"
 	"tailscale.com/tailcfg"
 )
 
+func init() {
+	netns.TestOnlySkipPrivilegedOps()
+}
+
 func TestHairpinSTUN(t *testing.T) {
 	tx := stun.NewTxID()
 	c := &Client{