netcheck,portmapper,magicsock: ignore some UDP write errors on Linux

Treat UDP send EPERM errors as a lost UDP packet, not something super
fatal. That's just the Linux firewall preventing it from going out.

And add a leaf package net/neterror for that (and future) policy that
all three packages can share, with tests.

Updates #3619

Change-Id: Ibdb838c43ee9efe70f4f25f7fc7fdf4607ba9c1d
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

net/netcheck/netcheck.go

@@ -27,6 +27,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/net/neterror"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/portmapper"
 	"tailscale.com/net/stun"
@@ -1234,7 +1235,7 @@ func (rs *reportState) runProbe(ctx context.Context, dm *tailcfg.DERPMap, probe
 	case probeIPv4:
 		metricSTUNSend4.Add(1)
 		n, err := rs.pc4.WriteTo(req, addr)
-		if n == len(req) && err == nil {
+		if n == len(req) && err == nil || neterror.TreatAsLostUDP(err) {
 			rs.mu.Lock()
 			rs.report.IPv4CanSend = true
 			rs.mu.Unlock()
@@ -1242,7 +1243,7 @@ func (rs *reportState) runProbe(ctx context.Context, dm *tailcfg.DERPMap, probe
 	case probeIPv6:
 		metricSTUNSend6.Add(1)
 		n, err := rs.pc6.WriteTo(req, addr)
-		if n == len(req) && err == nil {
+		if n == len(req) && err == nil || neterror.TreatAsLostUDP(err) {
 			rs.mu.Lock()
 			rs.report.IPv6CanSend = true
 			rs.mu.Unlock()