From 5be738b118796753f1b48c155ef2d4740a8aa6f1 Mon Sep 17 00:00:00 2001
From: Jonathan Nobels <jonathan@tailscale.com>
Date: Mon, 3 Jun 2024 10:52:00 -0400
Subject: [PATCH] ipn/ipnlocal: empty allowed exit nodes syspolicy should be
 treated as allow all

Updates tailscale/corp#19681

If the syspolicy returns an empty list of allowed exit nodes,
this should be treated as "allow all" rather than "allow none"

Signed-off-by: Jonathan Nobels <jonathan@tailscale.com>
---
 ipn/ipnlocal/local.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go
index feda6e7e1..09dab5830 100644
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -6456,7 +6456,7 @@ func suggestExitNode(report *netcheck.Report, netMap *netmap.NetworkMap, r *rand
 	var allowedCandidates set.Set[string]
 	if allowed, err := syspolicy.GetStringArray(syspolicy.AllowedSuggestedExitNodes, nil); err != nil {
 		return res, fmt.Errorf("unable to read %s policy: %w", syspolicy.AllowedSuggestedExitNodes, err)
-	} else if allowed != nil {
+	} else if allowed != nil && len(allowed) > 0 {
 		allowedCandidates = set.SetOf(allowed)
 	}
 	candidates := make([]tailcfg.NodeView, 0, len(netMap.Peers))