Make matchers part of the Policy interface (#2514)

* Make matchers part of the Policy interface * Prevent race condition between rules and matchers * Test also matchers in tests for Policy.Filter * Compute `filterChanged` in v2 policy correctly * Fix nil vs. empty list issue in v2 policy test * policy/v2: always clear ssh map Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Aras Ergus <aras.ergus@tngtech.com> Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-01 07:06:30 +02:00 · 2025-05-01 07:06:30 +02:00 · 4651d06fa8
commit 4651d06fa8
parent eb1ecefd9e
12 changed files with 89 additions and 43 deletions
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@ -536,7 +536,7 @@ func appendPeerChanges(
 	changed types.Nodes,
 	cfg *types.Config,
 ) error {
-	filter := polMan.Filter()
+	filter, matchers := polMan.Filter()

 	sshPolicy, err := polMan.SSHPolicy(node)
 	if err != nil {
@ -546,7 +546,7 @@ func appendPeerChanges(
 	// If there are filter rules present, see if there are any nodes that cannot
 	// access each-other at all and remove them from the peers.
 	if len(filter) > 0 {
-		changed = policy.FilterNodesByACL(node, changed, filter)
+		changed = policy.FilterNodesByACL(node, changed, matchers)
 	}

 	profiles := generateUserProfiles(node, changed)