diff --git a/hscontrol/policy/matcher/matcher.go b/hscontrol/policy/matcher/matcher.go
index aac5a5f3..afc3cf68 100644
--- a/hscontrol/policy/matcher/matcher.go
+++ b/hscontrol/policy/matcher/matcher.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/juanfont/headscale/hscontrol/util"
 	"go4.org/netipx"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 )
 
@@ -91,3 +92,12 @@ func (m *Match) SrcsOverlapsPrefixes(prefixes ...netip.Prefix) bool {
 func (m *Match) DestsOverlapsPrefixes(prefixes ...netip.Prefix) bool {
 	return slices.ContainsFunc(prefixes, m.dests.OverlapsPrefix)
 }
+
+// DestsIsTheInternet reports if the destination is equal to "the internet"
+// which is a IPSet that represents "autogroup:internet" and is special
+// cased for exit nodes.
+func (m Match) DestsIsTheInternet() bool {
+	return m.dests.Equal(util.TheInternet()) ||
+		m.dests.ContainsPrefix(tsaddr.AllIPv4()) ||
+		m.dests.ContainsPrefix(tsaddr.AllIPv6())
+}