Allow when user has only a subnet route (#1734)

* Add test because of issue 1604 * Add peer for routes * Revert previous change to try different way to add peer * Add traces * Remove traces * Make sure tests have IPPrefix comparator * Get allowedIps before loop * Remove comment * Add composite literals :)
2025-08-11 18:07:33 +00:00 · 2024-02-12 11:44:37 +01:00
parent 47405931c6
commit e3553aae50
2 changed files with 79 additions and 2 deletions
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@@ -208,6 +208,15 @@ func (node *Node) IsEphemeral() bool {
 }

 func (node *Node) CanAccess(filter []tailcfg.FilterRule, node2 *Node) bool {
+
+	allowedIPs := append([]netip.Addr{}, node2.IPAddresses...)
+
+	for _, route := range node2.Routes {
+		if route.Enabled {
+			allowedIPs = append(allowedIPs, netip.Prefix(route.Prefix).Addr())
+		}
+	}
+
 	for _, rule := range filter {
 		// TODO(kradalby): Cache or pregen this
 		matcher := matcher.MatchFromFilterRule(rule)
@@ -216,7 +225,7 @@ func (node *Node) CanAccess(filter []tailcfg.FilterRule, node2 *Node) bool {
 			continue
 		}

-		if matcher.DestsContainsIP([]netip.Addr(node2.IPAddresses)) {
+		if matcher.DestsContainsIP(allowedIPs) {
 			return true
 		}
 	}