reduce filter rules at the end, so we filter nodes correctly

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

hscontrol/mapper/mapper.go

@@ -160,7 +160,7 @@ func fullMapResponse(
 		CollectServices: "false",
 
 		// TODO: Only send if updated
-		PacketFilter: rules,
+		PacketFilter: policy.ReduceFilterRules(machine, rules),
 
 		UserProfiles: profiles,
 

hscontrol/mapper/mapper_test.go

@@ -433,7 +433,6 @@ func Test_fullMapResponse(t *testing.T) {
 						SrcIPs: []string{"100.64.0.2/32"},
 						DstPorts: []tailcfg.NetPortRange{
 							{IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny},
-							{IP: "100.64.0.2/32", Ports: tailcfg.PortRangeAny},
 						},
 					},
 				},