policy: add all node ips if prefix/host is ts ip

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-09-25 17:51:11 +02:00 · 2025-05-20 11:09:36 +02:00 · 2025-05-20 11:09:36 +02:00 · 99d1fc7f2c
commit 99d1fc7f2c
parent 4ba516cfa1
1 changed files with 16 additions and 2 deletions
--- a/hscontrol/policy/v2/types.go
+++ b/hscontrol/policy/v2/types.go
@ -363,7 +363,7 @@ func (h Host) Resolve(p *Policy, _ types.Users, nodes types.Nodes) (*netipx.IPSe

 	// If the IP is a single host, look for a node to ensure we add all the IPs of
 	// the node to the IPSet.
-	// appendIfNodeHasIP(nodes, &ips, pref)
+	appendIfNodeHasIP(nodes, &ips, netip.Prefix(pref))

 	// TODO(kradalby): I am a bit unsure what is the correct way to do this,
 	// should a host with a non single IP be able to resolve the full host (inc all IPs).
@ -439,11 +439,25 @@ func (p Prefix) Resolve(_ *Policy, _ types.Users, nodes types.Nodes) (*netipx.IP
 	ips.AddPrefix(netip.Prefix(p))
 	// If the IP is a single host, look for a node to ensure we add all the IPs of
 	// the node to the IPSet.
-	// appendIfNodeHasIP(nodes, &ips, pref)
+	appendIfNodeHasIP(nodes, &ips, netip.Prefix(p))

 	return buildIPSetMultiErr(&ips, errs)
 }

+// appendIfNodeHasIP appends the IPs of the nodes to the IPSet if the node has the
+// IP address in the prefix.
+func appendIfNodeHasIP(nodes types.Nodes, ips *netipx.IPSetBuilder, pref netip.Prefix) {
+	if !pref.IsSingleIP() && !tsaddr.IsTailscaleIP(pref.Addr()) {
+		return
+	}
+
+	for _, node := range nodes {
+		if node.HasIP(pref.Addr()) {
+			node.AppendToIPSet(ips)
+		}
+	}
+}
+
 // AutoGroup is a special string which is always prefixed with `autogroup:`
 type AutoGroup string