From 4ba516cfa1e4a451ee9c382c1711b3208b6fbfac Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Mon, 19 May 2025 16:24:19 +0200
Subject: [PATCH] policy: remove v1 prefix workaround

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 hscontrol/policy/policy_test.go | 12 ------------
 hscontrol/policy/v2/types.go    | 19 -------------------
 2 files changed, 31 deletions(-)

diff --git a/hscontrol/policy/policy_test.go b/hscontrol/policy/policy_test.go
index e3eda7a1..83d69eb8 100644
--- a/hscontrol/policy/policy_test.go
+++ b/hscontrol/policy/policy_test.go
@@ -490,18 +490,6 @@ func TestReduceFilterRules(t *testing.T) {
 						{IP: "16.0.0.0/4", Ports: tailcfg.PortRangeAny},
 						{IP: "32.0.0.0/3", Ports: tailcfg.PortRangeAny},
 						{IP: "64.0.0.0/2", Ports: tailcfg.PortRangeAny},
-						// This should not be included I believe, seems like
-						// this is a bug in the v1 code.
-						// For example:
-						// If a src or dst includes "64.0.0.0/2:*", it will include 100.64/16 range, which
-						// means that it will need to fetch the IPv6 addrs of the node to include the full range.
-						// Clearly, if a user sets the dst to be "64.0.0.0/2:*", it is likely more of a exit node
-						// and this would be strange behaviour.
-						// TODO(kradalby): Remove before launch.
-						{IP: "fd7a:115c:a1e0::1/128", Ports: tailcfg.PortRangeAny},
-						{IP: "fd7a:115c:a1e0::2/128", Ports: tailcfg.PortRangeAny},
-						{IP: "fd7a:115c:a1e0::100/128", Ports: tailcfg.PortRangeAny},
-						// End
 						{IP: "128.0.0.0/3", Ports: tailcfg.PortRangeAny},
 						{IP: "160.0.0.0/5", Ports: tailcfg.PortRangeAny},
 						{IP: "168.0.0.0/6", Ports: tailcfg.PortRangeAny},
diff --git a/hscontrol/policy/v2/types.go b/hscontrol/policy/v2/types.go
index 90f73261..c1323be9 100644
--- a/hscontrol/policy/v2/types.go
+++ b/hscontrol/policy/v2/types.go
@@ -441,25 +441,6 @@ func (p Prefix) Resolve(_ *Policy, _ types.Users, nodes types.Nodes) (*netipx.IP
 	// the node to the IPSet.
 	// appendIfNodeHasIP(nodes, &ips, pref)
 
-	// TODO(kradalby): I am a bit unsure what is the correct way to do this,
-	// should a host with a non single IP be able to resolve the full host (inc all IPs).
-	// Currently this is done because the old implementation did this, we might want to
-	// drop it before releasing.
-	// For example:
-	// If a src or dst includes "64.0.0.0/2:*", it will include 100.64/16 range, which
-	// means that it will need to fetch the IPv6 addrs of the node to include the full range.
-	// Clearly, if a user sets the dst to be "64.0.0.0/2:*", it is likely more of a exit node
-	// and this would be strange behaviour.
-	ipsTemp, err := ips.IPSet()
-	if err != nil {
-		errs = append(errs, err)
-	}
-	for _, node := range nodes {
-		if node.InIPSet(ipsTemp) {
-			node.AppendToIPSet(&ips)
-		}
-	}
-
 	return buildIPSetMultiErr(&ips, errs)
 }