policy: fix autogroup:self propagation and optimize cache invalidation (#2807)

2025-11-09 05:34:51 -05:00 · 2025-10-23 17:57:41 +02:00
parent 66826232ff
commit 2bf1200483
32 changed files with 3318 additions and 1770 deletions
--- a/hscontrol/policy/policy.go
+++ b/hscontrol/policy/policy.go
@@ -10,7 +10,6 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/samber/lo"
 	"tailscale.com/net/tsaddr"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/views"
 )

@@ -79,66 +78,6 @@ func BuildPeerMap(
 	return ret
 }

-// ReduceFilterRules takes a node and a set of rules and removes all rules and destinations
-// that are not relevant to that particular node.
-func ReduceFilterRules(node types.NodeView, rules []tailcfg.FilterRule) []tailcfg.FilterRule {
-	ret := []tailcfg.FilterRule{}
-
-	for _, rule := range rules {
-		// record if the rule is actually relevant for the given node.
-		var dests []tailcfg.NetPortRange
-	DEST_LOOP:
-		for _, dest := range rule.DstPorts {
-			expanded, err := util.ParseIPSet(dest.IP, nil)
-			// Fail closed, if we can't parse it, then we should not allow
-			// access.
-			if err != nil {
-				continue DEST_LOOP
-			}
-
-			if node.InIPSet(expanded) {
-				dests = append(dests, dest)
-				continue DEST_LOOP
-			}
-
-			// If the node exposes routes, ensure they are note removed
-			// when the filters are reduced.
-			if node.Hostinfo().Valid() {
-				routableIPs := node.Hostinfo().RoutableIPs()
-				if routableIPs.Len() > 0 {
-					for _, routableIP := range routableIPs.All() {
-						if expanded.OverlapsPrefix(routableIP) {
-							dests = append(dests, dest)
-							continue DEST_LOOP
-						}
-					}
-				}
-			}
-
-			// Also check approved subnet routes - nodes should have access
-			// to subnets they're approved to route traffic for.
-			subnetRoutes := node.SubnetRoutes()
-
-			for _, subnetRoute := range subnetRoutes {
-				if expanded.OverlapsPrefix(subnetRoute) {
-					dests = append(dests, dest)
-					continue DEST_LOOP
-				}
-			}
-		}
-
-		if len(dests) > 0 {
-			ret = append(ret, tailcfg.FilterRule{
-				SrcIPs:   rule.SrcIPs,
-				DstPorts: dests,
-				IPProto:  rule.IPProto,
-			})
-		}
-	}
-
-	return ret
-}
-
 // ApproveRoutesWithPolicy checks if the node can approve the announced routes
 // and returns the new list of approved routes.
 // The approved routes will include: