policy: reduce routes sent to peers based on packetfilter (#2561)

* notifier: use convenience funcs Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: reduce routes based on policy Fixes #2365 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * hsic: more helper methods Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: more test cases Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: add route with filter acl integration test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: correct route reduce test, now failing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * mapper: compare peer routes against node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * hs: more output to debug strings Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: slice.ContainsFunc Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: more reduce route test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog: add entry for route filter Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-04 22:52:47 +03:00 · 2025-05-04 22:52:47 +03:00 · 45e38cb080
commit 45e38cb080
parent b9868f6516
16 changed files with 903 additions and 47 deletions
--- a/hscontrol/mapper/tail.go
+++ b/hscontrol/mapper/tail.go
@ -5,7 +5,6 @@ import (
 	"time"

 	"github.com/juanfont/headscale/hscontrol/policy"
-	"github.com/juanfont/headscale/hscontrol/routes"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/samber/lo"
 	"tailscale.com/net/tsaddr"
@ -16,7 +15,7 @@ func tailNodes(
 	nodes types.Nodes,
 	capVer tailcfg.CapabilityVersion,
 	polMan policy.PolicyManager,
-	primary *routes.PrimaryRoutes,
+	primaryRouteFunc routeFilterFunc,
 	cfg *types.Config,
 ) ([]*tailcfg.Node, error) {
 	tNodes := make([]*tailcfg.Node, len(nodes))
@ -26,7 +25,7 @@ func tailNodes(
 			node,
 			capVer,
 			polMan,
-			primary,
+			primaryRouteFunc,
 			cfg,
 		)
 		if err != nil {
@ -44,7 +43,7 @@ func tailNode(
 	node *types.Node,
 	capVer tailcfg.CapabilityVersion,
 	polMan policy.PolicyManager,
-	primary *routes.PrimaryRoutes,
+	primaryRouteFunc routeFilterFunc,
 	cfg *types.Config,
 ) (*tailcfg.Node, error) {
 	addrs := node.Prefixes()
@ -81,7 +80,8 @@ func tailNode(
 	}
 	tags = lo.Uniq(append(tags, node.ForcedTags...))

-	allowed := append(node.Prefixes(), primary.PrimaryRoutes(node.ID)...)
+	routes := primaryRouteFunc(node.ID)
+	allowed := append(node.Prefixes(), routes...)
 	allowed = append(allowed, node.ExitRoutes()...)
 	tsaddr.SortPrefixes(allowed)

@ -99,7 +99,7 @@ func tailNode(
 		Machine:          node.MachineKey,
 		DiscoKey:         node.DiscoKey,
 		Addresses:        addrs,
-		PrimaryRoutes:    primary.PrimaryRoutes(node.ID),
+		PrimaryRoutes:    routes,
 		AllowedIPs:       allowed,
 		Endpoints:        node.Endpoints,
 		HomeDERP:         derp,