policy/v2: keep partial IPSet on SSH destination resolution errors

In compileSSHPolicy, when resolving other (non-autogroup:self) destinations, the code discards the entire result on error via `continue`. If a destination alias (e.g., a tag owned by a group with a non-existent user) returns a partial IPSet alongside an error, valid IPs are lost. Both ACL compilation paths (compileFilterRules and compileACLWithAutogroupSelf) already handle this correctly by logging the error and using the IPSet if non-nil. Remove the `continue` so the SSH path is consistent with the ACL paths. Fixes #2990
2026-02-07 20:04:00 +01:00 · 2026-02-02 14:32:52 +00:00 · 2026-02-02 14:32:52 +00:00 · 362696a5ef
commit 362696a5ef
parent 1f32c8bf61
1 changed files with 0 additions and 1 deletions
--- a/hscontrol/policy/v2/filter.go
+++ b/hscontrol/policy/v2/filter.go
@ -409,7 +409,6 @@ func (pol *Policy) compileSSHPolicy(
 				ips, err := dst.Resolve(pol, users, nodes)
 				if err != nil {
 					log.Trace().Caller().Err(err).Msgf("resolving destination ips")
-					continue
 				}
 				if ips != nil {
 					dest.AddSet(ips)