From 0b5c29e8757062209a29d76d4531012c1af4f607 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Mon, 10 Mar 2025 19:19:25 +0100 Subject: [PATCH] remove policy handling for old capver (#2429) * remove policy handling for old capver Signed-off-by: Kristoffer Dalby * update tests Signed-off-by: Kristoffer Dalby --------- Signed-off-by: Kristoffer Dalby --- hscontrol/mapper/mapper.go | 26 ++++++-------------------- hscontrol/mapper/mapper_test.go | 20 +++++++++++--------- 2 files changed, 17 insertions(+), 29 deletions(-) diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go index 705596cd..7a297bd3 100644 --- a/hscontrol/mapper/mapper.go +++ b/hscontrol/mapper/mapper.go @@ -555,26 +555,12 @@ func appendPeerChanges( resp.UserProfiles = profiles resp.SSHPolicy = sshPolicy - // 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates) - if capVer >= 81 { - // Currently, we do not send incremental package filters, however using the - // new PacketFilters field and "base" allows us to send a full update when we - // have to send an empty list, avoiding the hack in the else block. - resp.PacketFilters = map[string][]tailcfg.FilterRule{ - "base": policy.ReduceFilterRules(node, filter), - } - } else { - // This is a hack to avoid sending an empty list of packet filters. - // Since tailcfg.PacketFilter has omitempty, any empty PacketFilter will - // be omitted, causing the client to consider it unchanged, keeping the - // previous packet filter. Worst case, this can cause a node that previously - // has access to a node to _not_ loose access if an empty (allow none) is sent. - reduced := policy.ReduceFilterRules(node, filter) - if len(reduced) > 0 { - resp.PacketFilter = reduced - } else { - resp.PacketFilter = filter - } + // CapVer 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates) + // Currently, we do not send incremental package filters, however using the + // new PacketFilters field and "base" allows us to send a full update when we + // have to send an empty list, avoiding the hack in the else block. + resp.PacketFilters = map[string][]tailcfg.FilterRule{ + "base": policy.ReduceFilterRules(node, filter), } return nil diff --git a/hscontrol/mapper/mapper_test.go b/hscontrol/mapper/mapper_test.go index 6dd3387d..0fc797a7 100644 --- a/hscontrol/mapper/mapper_test.go +++ b/hscontrol/mapper/mapper_test.go @@ -291,8 +291,8 @@ func Test_fullMapResponse(t *testing.T) { DisplayName: "user1", }, }, - PacketFilter: tailcfg.FilterAllowAll, - ControlTime: &time.Time{}, + ControlTime: &time.Time{}, + PacketFilters: map[string][]tailcfg.FilterRule{"base": tailcfg.FilterAllowAll}, Debug: &tailcfg.Debug{ DisableLogTail: true, }, @@ -326,8 +326,8 @@ func Test_fullMapResponse(t *testing.T) { {ID: tailcfg.UserID(user1.ID), LoginName: "user1", DisplayName: "user1"}, {ID: tailcfg.UserID(user2.ID), LoginName: "user2", DisplayName: "user2"}, }, - PacketFilter: tailcfg.FilterAllowAll, - ControlTime: &time.Time{}, + ControlTime: &time.Time{}, + PacketFilters: map[string][]tailcfg.FilterRule{"base": tailcfg.FilterAllowAll}, Debug: &tailcfg.Debug{ DisableLogTail: true, }, @@ -368,11 +368,13 @@ func Test_fullMapResponse(t *testing.T) { DNSConfig: &tailcfg.DNSConfig{}, Domain: "", CollectServices: "false", - PacketFilter: []tailcfg.FilterRule{ - { - SrcIPs: []string{"100.64.0.2/32"}, - DstPorts: []tailcfg.NetPortRange{ - {IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny}, + PacketFilters: map[string][]tailcfg.FilterRule{ + "base": { + { + SrcIPs: []string{"100.64.0.2/32"}, + DstPorts: []tailcfg.NetPortRange{ + {IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny}, + }, }, }, },