diff --git a/hscontrol/debug.go b/hscontrol/debug.go
index 2b245b58..ef28a955 100644
--- a/hscontrol/debug.go
+++ b/hscontrol/debug.go
@@ -40,7 +40,7 @@ func (h *Headscale) debugHTTPServer() *http.Server {
 		w.Write(pol)
 	}))
 	debug.Handle("filter", "Current filter", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		filter := h.polMan.Filter()
+		filter, _ := h.polMan.Filter()
 
 		filterJSON, err := json.MarshalIndent(filter, "", "  ")
 		if err != nil {
diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go
index 4da94c31..8401d5d4 100644
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@@ -519,7 +519,7 @@ func appendPeerChanges(
 	changed types.Nodes,
 	cfg *types.Config,
 ) error {
-	filter := polMan.Filter()
+	filter, matchers := polMan.Filter()
 
 	sshPolicy, err := polMan.SSHPolicy(node)
 	if err != nil {
@@ -529,7 +529,6 @@ func appendPeerChanges(
 	// If there are filter rules present, see if there are any nodes that cannot
 	// access each-other at all and remove them from the peers.
 	if len(filter) > 0 {
-		matchers := polMan.Matchers()
 		changed = policy.FilterNodesByACL(node, changed, matchers)
 	}
 
diff --git a/hscontrol/policy/pm.go b/hscontrol/policy/pm.go
index 5df7da76..d19aae52 100644
--- a/hscontrol/policy/pm.go
+++ b/hscontrol/policy/pm.go
@@ -16,9 +16,8 @@ var (
 )
 
 type PolicyManager interface {
-	Filter() []tailcfg.FilterRule
-	// Matchers returns the matchers for the current filter rules.
-	Matchers() []matcher.Match
+	// Filter returns the current filter rules for the entire tailnet and the associated matchers.
+	Filter() ([]tailcfg.FilterRule, []matcher.Match)
 	SSHPolicy(*types.Node) (*tailcfg.SSHPolicy, error)
 	SetPolicy([]byte) (bool, error)
 	SetUsers(users []types.User) (bool, error)
diff --git a/hscontrol/policy/policy_test.go b/hscontrol/policy/policy_test.go
index 597172fb..cebda65f 100644
--- a/hscontrol/policy/policy_test.go
+++ b/hscontrol/policy/policy_test.go
@@ -770,7 +770,7 @@ func TestReduceFilterRules(t *testing.T) {
 				var err error
 				pm, err = pmf(users, append(tt.peers, tt.node))
 				require.NoError(t, err)
-				got := pm.Filter()
+				got, _ := pm.Filter()
 				got = ReduceFilterRules(tt.node, got)
 
 				if diff := cmp.Diff(tt.want, got); diff != "" {
diff --git a/hscontrol/policy/v1/policy.go b/hscontrol/policy/v1/policy.go
index 43efba5d..0394a5b3 100644
--- a/hscontrol/policy/v1/policy.go
+++ b/hscontrol/policy/v1/policy.go
@@ -87,15 +87,10 @@ func (pm *PolicyManager) updateLocked() (bool, error) {
 	return true, nil
 }
 
-func (pm *PolicyManager) Filter() []tailcfg.FilterRule {
+func (pm *PolicyManager) Filter() ([]tailcfg.FilterRule, []matcher.Match) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
-	return pm.filter
-}
-
-func (pm *PolicyManager) Matchers() []matcher.Match {
-	filter := pm.Filter()
-	return matcher.MatchesFromFilterRules(filter)
+	return pm.filter, matcher.MatchesFromFilterRules(pm.filter)
 }
 
 func (pm *PolicyManager) SSHPolicy(node *types.Node) (*tailcfg.SSHPolicy, error) {
diff --git a/hscontrol/policy/v1/policy_test.go b/hscontrol/policy/v1/policy_test.go
index e250db2a..f1d899ba 100644
--- a/hscontrol/policy/v1/policy_test.go
+++ b/hscontrol/policy/v1/policy_test.go
@@ -150,7 +150,8 @@ func TestPolicySetChange(t *testing.T) {
 				assert.Equal(t, tt.wantNodesChange, change)
 			}
 
-			if diff := cmp.Diff(tt.wantFilter, pm.Filter()); diff != "" {
+			filter, _ := pm.Filter()
+			if diff := cmp.Diff(tt.wantFilter, filter); diff != "" {
 				t.Errorf("TestPolicySetChange() unexpected result (-want +got):\n%s", diff)
 			}
 		})
diff --git a/hscontrol/policy/v2/policy.go b/hscontrol/policy/v2/policy.go
index 8fbedd06..7712fe5f 100644
--- a/hscontrol/policy/v2/policy.go
+++ b/hscontrol/policy/v2/policy.go
@@ -147,17 +147,11 @@ func (pm *PolicyManager) SetPolicy(polB []byte) (bool, error) {
 	return pm.updateLocked()
 }
 
-// Filter returns the current filter rules for the entire tailnet.
-func (pm *PolicyManager) Filter() []tailcfg.FilterRule {
+// Filter returns the current filter rules for the entire tailnet and the associated matchers.
+func (pm *PolicyManager) Filter() ([]tailcfg.FilterRule, []matcher.Match) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
-	return pm.filter
-}
-
-func (pm *PolicyManager) Matchers() []matcher.Match {
-	pm.mu.Lock()
-	defer pm.mu.Unlock()
-	return pm.matchers
+	return pm.filter, pm.matchers
 }
 
 // SetUsers updates the users in the policy manager and updates the filter rules.
diff --git a/hscontrol/policy/v2/policy_test.go b/hscontrol/policy/v2/policy_test.go
index ee26c596..2bc26760 100644
--- a/hscontrol/policy/v2/policy_test.go
+++ b/hscontrol/policy/v2/policy_test.go
@@ -47,7 +47,7 @@ func TestPolicyManager(t *testing.T) {
 			pm, err := NewPolicyManager([]byte(tt.pol), users, tt.nodes)
 			require.NoError(t, err)
 
-			filter := pm.Filter()
+			filter, _ := pm.Filter()
 			if diff := cmp.Diff(filter, tt.wantFilter); diff != "" {
 				t.Errorf("Filter() mismatch (-want +got):\n%s", diff)
 			}