From 99d1fc7f2ce111c0c65cdc9db46e9e0d39c7901a Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Tue, 20 May 2025 11:09:36 +0200 Subject: [PATCH] policy: add all node ips if prefix/host is ts ip Signed-off-by: Kristoffer Dalby --- hscontrol/policy/v2/types.go | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/hscontrol/policy/v2/types.go b/hscontrol/policy/v2/types.go index c1323be9..941a645b 100644 --- a/hscontrol/policy/v2/types.go +++ b/hscontrol/policy/v2/types.go @@ -363,7 +363,7 @@ func (h Host) Resolve(p *Policy, _ types.Users, nodes types.Nodes) (*netipx.IPSe // If the IP is a single host, look for a node to ensure we add all the IPs of // the node to the IPSet. - // appendIfNodeHasIP(nodes, &ips, pref) + appendIfNodeHasIP(nodes, &ips, netip.Prefix(pref)) // TODO(kradalby): I am a bit unsure what is the correct way to do this, // should a host with a non single IP be able to resolve the full host (inc all IPs). @@ -439,11 +439,25 @@ func (p Prefix) Resolve(_ *Policy, _ types.Users, nodes types.Nodes) (*netipx.IP ips.AddPrefix(netip.Prefix(p)) // If the IP is a single host, look for a node to ensure we add all the IPs of // the node to the IPSet. - // appendIfNodeHasIP(nodes, &ips, pref) + appendIfNodeHasIP(nodes, &ips, netip.Prefix(p)) return buildIPSetMultiErr(&ips, errs) } +// appendIfNodeHasIP appends the IPs of the nodes to the IPSet if the node has the +// IP address in the prefix. +func appendIfNodeHasIP(nodes types.Nodes, ips *netipx.IPSetBuilder, pref netip.Prefix) { + if !pref.IsSingleIP() && !tsaddr.IsTailscaleIP(pref.Addr()) { + return + } + + for _, node := range nodes { + if node.HasIP(pref.Addr()) { + node.AppendToIPSet(ips) + } + } +} + // AutoGroup is a special string which is always prefixed with `autogroup:` type AutoGroup string