From d9c3eaf8c8208a408be67695f48798b195b2109a Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Sat, 1 Nov 2025 14:27:59 +0100
Subject: [PATCH] matcher: Add func for comparing Dests and TheInternet

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 hscontrol/policy/matcher/matcher.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hscontrol/policy/matcher/matcher.go b/hscontrol/policy/matcher/matcher.go
index aac5a5f3..afc3cf68 100644
--- a/hscontrol/policy/matcher/matcher.go
+++ b/hscontrol/policy/matcher/matcher.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/juanfont/headscale/hscontrol/util"
 	"go4.org/netipx"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 )
 
@@ -91,3 +92,12 @@ func (m *Match) SrcsOverlapsPrefixes(prefixes ...netip.Prefix) bool {
 func (m *Match) DestsOverlapsPrefixes(prefixes ...netip.Prefix) bool {
 	return slices.ContainsFunc(prefixes, m.dests.OverlapsPrefix)
 }
+
+// DestsIsTheInternet reports if the destination is equal to "the internet"
+// which is a IPSet that represents "autogroup:internet" and is special
+// cased for exit nodes.
+func (m Match) DestsIsTheInternet() bool {
+	return m.dests.Equal(util.TheInternet()) ||
+		m.dests.ContainsPrefix(tsaddr.AllIPv4()) ||
+		m.dests.ContainsPrefix(tsaddr.AllIPv6())
+}