fix empty packetfilter being omitted

This commit start using PacketFilters for newer nodes and adds a hack to prevent nodes receiving an empty packet filter to ignore it. Signed-off-by: Kristoffer Dalby <[email protected]>
pallabpain · Jul 16, 2024 · 9ca914d · 9ca914d
1 parent 37a9798
commit 9ca914d
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go
@@ -594,9 +594,30 @@ func appendPeerChanges(
 		resp.PeersChanged = tailPeers
 	}
 	resp.DNSConfig = dnsConfig
-	resp.PacketFilter = policy.ReduceFilterRules(node, packetFilter)
 	resp.UserProfiles = profiles
 	resp.SSHPolicy = sshPolicy
 
+	// 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
+	if capVer >= 81 {
+		// Currently, we do not send incremental package filters, however using the
+		// new PacketFilters field and "base" allows us to send a full update when we
+		// have to send an empty list, avoiding the hack in the else block.
+		resp.PacketFilters = map[string][]tailcfg.FilterRule{
+			"base": policy.ReduceFilterRules(node, packetFilter),
+		}
+	} else {
+		// This is a hack to avoid sending an empty list of packet filters.
+		// Since tailcfg.PacketFilter has omitempty, any empty PacketFilter will
+		// be omitted, causing the client to consider it unchange, keeping the
+		// previous packet filter. Worst case, this can cause a node that previously
+		// has access to a node to _not_ loose access if an empty (allow none) is sent.
+		reduced := policy.ReduceFilterRules(node, packetFilter)
+		if len(reduced) > 0 {
+			resp.PacketFilter = reduced
+		} else {
+			resp.PacketFilter = packetFilter
+		}
+	}
+
 	return nil
 }