From 91868056f938eb0ef8d65887ba15df501b806309 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Fri, 14 Feb 2025 16:51:26 +0100 Subject: [PATCH] remove policy handling for old capver Signed-off-by: Kristoffer Dalby --- hscontrol/mapper/mapper.go | 26 ++++++-------------------- 1 file changed, 6 insertions(+), 20 deletions(-) diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go index 6821d5b6..1a37fb30 100644 --- a/hscontrol/mapper/mapper.go +++ b/hscontrol/mapper/mapper.go @@ -541,26 +541,12 @@ func appendPeerChanges( resp.UserProfiles = profiles resp.SSHPolicy = sshPolicy - // 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates) - if capVer >= 81 { - // Currently, we do not send incremental package filters, however using the - // new PacketFilters field and "base" allows us to send a full update when we - // have to send an empty list, avoiding the hack in the else block. - resp.PacketFilters = map[string][]tailcfg.FilterRule{ - "base": policy.ReduceFilterRules(node, filter), - } - } else { - // This is a hack to avoid sending an empty list of packet filters. - // Since tailcfg.PacketFilter has omitempty, any empty PacketFilter will - // be omitted, causing the client to consider it unchanged, keeping the - // previous packet filter. Worst case, this can cause a node that previously - // has access to a node to _not_ loose access if an empty (allow none) is sent. - reduced := policy.ReduceFilterRules(node, filter) - if len(reduced) > 0 { - resp.PacketFilter = reduced - } else { - resp.PacketFilter = filter - } + // CapVer 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates) + // Currently, we do not send incremental package filters, however using the + // new PacketFilters field and "base" allows us to send a full update when we + // have to send an empty list, avoiding the hack in the else block. + resp.PacketFilters = map[string][]tailcfg.FilterRule{ + "base": policy.ReduceFilterRules(node, filter), } return nil