From 66269dc934058cd41ddff7a5fd94c6425dbb28f8 Mon Sep 17 00:00:00 2001
From: Nick Khyl <nickk@tailscale.com>
Date: Tue, 14 Jan 2025 11:04:55 -0600
Subject: [PATCH] ipn/ipnlocal: allow Peer API access via either V4MasqAddr or
 V6MasqAddr when both are set

This doesn't seem to have any immediate impact, but not allowing access via the IPv6 masquerade
address when an IPv4 masquerade address is also set seems like a bug.

Updates #cleanup
Updates #14570 (found when working on it)

Signed-off-by: Nick Khyl <nickk@tailscale.com>
---
 ipn/ipnlocal/peerapi.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ipn/ipnlocal/peerapi.go b/ipn/ipnlocal/peerapi.go
index 7aa677640..4d0548917 100644
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -233,11 +233,13 @@ func (h *peerAPIHandler) logf(format string, a ...any) {
 // isAddressValid reports whether addr is a valid destination address for this
 // node originating from the peer.
 func (h *peerAPIHandler) isAddressValid(addr netip.Addr) bool {
-	if v, ok := h.peerNode.SelfNodeV4MasqAddrForThisPeer().GetOk(); ok {
-		return v == addr
+	if !addr.IsValid() {
+		return false
 	}
-	if v, ok := h.peerNode.SelfNodeV6MasqAddrForThisPeer().GetOk(); ok {
-		return v == addr
+	v4MasqAddr, hasMasqV4 := h.peerNode.SelfNodeV4MasqAddrForThisPeer().GetOk()
+	v6MasqAddr, hasMasqV6 := h.peerNode.SelfNodeV6MasqAddrForThisPeer().GetOk()
+	if hasMasqV4 || hasMasqV6 {
+		return addr == v4MasqAddr || addr == v6MasqAddr
 	}
 	pfx := netip.PrefixFrom(addr, addr.BitLen())
 	return views.SliceContains(h.selfNode.Addresses(), pfx)