remove policy handling for old capver (#2429)

* remove policy handling for old capver Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-03-12 16:30:53 +00:00 · 2025-03-10 19:19:25 +01:00 · 2025-03-10 19:19:25 +01:00 · 0b5c29e875
commit 0b5c29e875
parent 0a243b4162
2 changed files with 17 additions and 29 deletions
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@ -555,27 +555,13 @@ func appendPeerChanges(
 	resp.UserProfiles = profiles
 	resp.SSHPolicy = sshPolicy
-	// 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
+	// CapVer 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
 	if capVer >= 81 {
 	// Currently, we do not send incremental package filters, however using the
 	// new PacketFilters field and "base" allows us to send a full update when we
 	// have to send an empty list, avoiding the hack in the else block.
 	resp.PacketFilters = map[string][]tailcfg.FilterRule{
 		"base": policy.ReduceFilterRules(node, filter),
 	}
 	} else {
 		// This is a hack to avoid sending an empty list of packet filters.
 		// Since tailcfg.PacketFilter has omitempty, any empty PacketFilter will
 		// be omitted, causing the client to consider it unchanged, keeping the
 		// previous packet filter. Worst case, this can cause a node that previously
 		// has access to a node to _not_ loose access if an empty (allow none) is sent.
 		reduced := policy.ReduceFilterRules(node, filter)
 		if len(reduced) > 0 {
 			resp.PacketFilter = reduced
 		} else {
 			resp.PacketFilter = filter
 		}
 	}
 	return nil
 }
--- a/hscontrol/mapper/mapper_test.go
+++ b/hscontrol/mapper/mapper_test.go
@ -291,8 +291,8 @@ func Test_fullMapResponse(t *testing.T) {
 						DisplayName: "user1",
 					},
 				},
 				PacketFilter: tailcfg.FilterAllowAll,
 				ControlTime:   &time.Time{},
 				PacketFilters: map[string][]tailcfg.FilterRule{"base": tailcfg.FilterAllowAll},
 				Debug: &tailcfg.Debug{
 					DisableLogTail: true,
 				},
@ -326,8 +326,8 @@ func Test_fullMapResponse(t *testing.T) {
 					{ID: tailcfg.UserID(user1.ID), LoginName: "user1", DisplayName: "user1"},
 					{ID: tailcfg.UserID(user2.ID), LoginName: "user2", DisplayName: "user2"},
 				},
 				PacketFilter: tailcfg.FilterAllowAll,
 				ControlTime:   &time.Time{},
 				PacketFilters: map[string][]tailcfg.FilterRule{"base": tailcfg.FilterAllowAll},
 				Debug: &tailcfg.Debug{
 					DisableLogTail: true,
 				},
@ -368,7 +368,8 @@ func Test_fullMapResponse(t *testing.T) {
 				DNSConfig:       &tailcfg.DNSConfig{},
 				Domain:          "",
 				CollectServices: "false",
-				PacketFilter: []tailcfg.FilterRule{
+				PacketFilters: map[string][]tailcfg.FilterRule{
 					"base": {
 						{
 							SrcIPs: []string{"100.64.0.2/32"},
 							DstPorts: []tailcfg.NetPortRange{
@ -376,6 +377,7 @@ func Test_fullMapResponse(t *testing.T) {
 							},
 						},
 					},
 				},
 				SSHPolicy: &tailcfg.SSHPolicy{},
 				UserProfiles: []tailcfg.UserProfile{
 					{ID: tailcfg.UserID(user1.ID), LoginName: "user1", DisplayName: "user1"},