From 2024219bd10adbb5c0d29f900ed0961ace8cc15c Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Sat, 1 Nov 2025 14:29:50 +0100
Subject: [PATCH] types: Distinguish subnet and exit node access

When we fixed the issue of node visibility of nodes
that only had access to eachother because of a subnet
route, we gave all nodes access to all exit routes by
accident.

This commit splits exit nodes and subnet routes in the
access.

If a matcher indicates that the node should have access to
any part of the subnet routes, we do not remove it from the
node list.

If a matcher destination is equal to the internet, and the
target node is an exit node, we also do not remove the access.

Fixes #2784
Fixes #2788

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 hscontrol/types/node.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hscontrol/types/node.go b/hscontrol/types/node.go
index 50b9b049..c6429669 100644
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@@ -319,9 +319,16 @@ func (node *Node) CanAccess(matchers []matcher.Match, node2 *Node) bool {
 			return true
 		}
 
+		// Check if the node has access to routes that might be part of a
+		// smaller subnet that is served from node2 as a subnet router.
 		if matcher.DestsOverlapsPrefixes(node2.SubnetRoutes()...) {
 			return true
 		}
+
+		// If the dst is "the internet" and node2 is an exit node, allow access.
+		if matcher.DestsIsTheInternet() && node2.IsExitNode() {
+			return true
+		}
 	}
 
 	return false