control/controlclient: support incremental packet filter updates [capver 81]

Updates #10299 Change-Id: I87e4235c668a1db7de7ef1abc743f0beecb86d3d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-10-08 23:49:56 +00:00 · 2023-11-17 09:20:08 -08:00
parent b8a2aedccd
commit fb829ea7f1
4 changed files with 156 additions and 4 deletions
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -16,6 +16,7 @@ import (
 	"sync"
 	"time"

+	xmaps "golang.org/x/exp/maps"
 	"tailscale.com/control/controlknobs"
 	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
@@ -27,6 +28,7 @@ import (
 	"tailscale.com/types/views"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/cmpx"
+	"tailscale.com/util/mak"
 	"tailscale.com/wgengine/filter"
 )

@@ -75,7 +77,8 @@ type mapSession struct {
 	lastDNSConfig          *tailcfg.DNSConfig
 	lastDERPMap            *tailcfg.DERPMap
 	lastUserProfile        map[tailcfg.UserID]tailcfg.UserProfile
-	lastPacketFilterRules  views.Slice[tailcfg.FilterRule]
+	lastPacketFilterRules  views.Slice[tailcfg.FilterRule] // concatenation of all namedPacketFilters
+	namedPacketFilters     map[string]views.Slice[tailcfg.FilterRule]
 	lastParsedPacketFilter []filter.Match
 	lastSSHPolicy          *tailcfg.SSHPolicy
 	collectServices        bool
@@ -259,10 +262,39 @@ func (ms *mapSession) updateStateFromResponse(resp *tailcfg.MapResponse) {
 		ms.lastDERPMap = dm
 	}

+	var packetFilterChanged bool
+	// Older way, one big blob:
 	if pf := resp.PacketFilter; pf != nil {
+		packetFilterChanged = true
+		mak.Set(&ms.namedPacketFilters, "base", views.SliceOf(pf))
+	}
+	// Newer way, named chunks:
+	if m := resp.PacketFilters; m != nil {
+		packetFilterChanged = true
+		if v, ok := m["*"]; ok && v == nil {
+			ms.namedPacketFilters = nil
+		}
+		for k, v := range m {
+			if k == "*" {
+				continue
+			}
+			if v != nil {
+				mak.Set(&ms.namedPacketFilters, k, views.SliceOf(v))
+			} else {
+				delete(ms.namedPacketFilters, k)
+			}
+		}
+	}
+	if packetFilterChanged {
+		keys := xmaps.Keys(ms.namedPacketFilters)
+		sort.Strings(keys)
+		var concat []tailcfg.FilterRule
+		for _, v := range keys {
+			concat = ms.namedPacketFilters[v].AppendTo(concat)
+		}
+		ms.lastPacketFilterRules = views.SliceOf(concat)
 		var err error
-		ms.lastPacketFilterRules = views.SliceOf(pf)
-		ms.lastParsedPacketFilter, err = filter.MatchesFromFilterRules(pf)
+		ms.lastParsedPacketFilter, err = filter.MatchesFromFilterRules(concat)
 		if err != nil {
 			ms.logf("parsePacketFilter: %v", err)
 		}