remove policy handling for old capver (#2429)

* remove policy handling for old capver

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* update tests

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

---------

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

hscontrol/mapper/mapper.go

@@ -555,26 +555,12 @@ func appendPeerChanges(
 	resp.UserProfiles = profiles
 	resp.SSHPolicy = sshPolicy
 
-	// 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
+	// CapVer 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
-	if capVer >= 81 {
+	// Currently, we do not send incremental package filters, however using the
-		// Currently, we do not send incremental package filters, however using the
+	// new PacketFilters field and "base" allows us to send a full update when we
-		// new PacketFilters field and "base" allows us to send a full update when we
+	// have to send an empty list, avoiding the hack in the else block.
-		// have to send an empty list, avoiding the hack in the else block.
+	resp.PacketFilters = map[string][]tailcfg.FilterRule{
-		resp.PacketFilters = map[string][]tailcfg.FilterRule{
+		"base": policy.ReduceFilterRules(node, filter),
-			"base": policy.ReduceFilterRules(node, filter),
-		}
-	} else {
-		// This is a hack to avoid sending an empty list of packet filters.
-		// Since tailcfg.PacketFilter has omitempty, any empty PacketFilter will
-		// be omitted, causing the client to consider it unchanged, keeping the
-		// previous packet filter. Worst case, this can cause a node that previously
-		// has access to a node to _not_ loose access if an empty (allow none) is sent.
-		reduced := policy.ReduceFilterRules(node, filter)
-		if len(reduced) > 0 {
-			resp.PacketFilter = reduced
-		} else {
-			resp.PacketFilter = filter
-		}
 	}
 
 	return nil

hscontrol/mapper/mapper_test.go

@@ -291,8 +291,8 @@ func Test_fullMapResponse(t *testing.T) {
 						DisplayName: "user1",
 					},
 				},
-				PacketFilter: tailcfg.FilterAllowAll,
+				ControlTime:   &time.Time{},
-				ControlTime:  &time.Time{},
+				PacketFilters: map[string][]tailcfg.FilterRule{"base": tailcfg.FilterAllowAll},
 				Debug: &tailcfg.Debug{
 					DisableLogTail: true,
 				},
@@ -326,8 +326,8 @@ func Test_fullMapResponse(t *testing.T) {
 					{ID: tailcfg.UserID(user1.ID), LoginName: "user1", DisplayName: "user1"},
 					{ID: tailcfg.UserID(user2.ID), LoginName: "user2", DisplayName: "user2"},
 				},
-				PacketFilter: tailcfg.FilterAllowAll,
+				ControlTime:   &time.Time{},
-				ControlTime:  &time.Time{},
+				PacketFilters: map[string][]tailcfg.FilterRule{"base": tailcfg.FilterAllowAll},
 				Debug: &tailcfg.Debug{
 					DisableLogTail: true,
 				},
@@ -368,11 +368,13 @@ func Test_fullMapResponse(t *testing.T) {
 				DNSConfig:       &tailcfg.DNSConfig{},
 				Domain:          "",
 				CollectServices: "false",
-				PacketFilter: []tailcfg.FilterRule{
+				PacketFilters: map[string][]tailcfg.FilterRule{
-					{
+					"base": {
-						SrcIPs: []string{"100.64.0.2/32"},
+						{
-						DstPorts: []tailcfg.NetPortRange{
+							SrcIPs: []string{"100.64.0.2/32"},
-							{IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny},
+							DstPorts: []tailcfg.NetPortRange{
+								{IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny},
+							},
 						},
 					},
 				},