policy: reduce routes based on policy

Fixes #2365

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

hscontrol/mapper/mapper.go

@@ -546,7 +546,7 @@ func appendPeerChanges(
 	// If there are filter rules present, see if there are any nodes that cannot
 	// access each-other at all and remove them from the peers.
 	if len(filter) > 0 {
-		changed = policy.FilterNodesByACL(node, changed, matchers)
+		changed = policy.ReduceNodes(node, changed, matchers)
 	}
 
 	profiles := generateUserProfiles(node, changed)

hscontrol/mapper/mapper_test.go

@@ -348,6 +348,11 @@ func Test_fullMapResponse(t *testing.T) {
 							"src": ["100.64.0.2"],
 							"dst": ["user1@:*"],
 						},
+						{
+							"action": "accept",
+							"src": ["100.64.0.1"],
+							"dst": ["192.168.0.0/24:*"],
+						},
 					],
 				}
 				`),
@@ -380,6 +385,10 @@ func Test_fullMapResponse(t *testing.T) {
 								{IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny},
 							},
 						},
+						{
+							SrcIPs:   []string{"100.64.0.1/32"},
+							DstPorts: []tailcfg.NetPortRange{{IP: "192.168.0.0/24", Ports: tailcfg.PortRangeAny}},
+						},
 					},
 				},
 				SSHPolicy: nil,

hscontrol/mapper/tail.go

@@ -81,7 +81,9 @@ func tailNode(
 	}
 	tags = lo.Uniq(append(tags, node.ForcedTags...))
 
-	allowed := append(node.Prefixes(), primary.PrimaryRoutes(node.ID)...)
+	_, matchers := polMan.Filter()
+	routes := policy.ReduceRoutes(node, primary.PrimaryRoutes(node.ID), matchers)
+	allowed := append(node.Prefixes(), routes...)
 	allowed = append(allowed, node.ExitRoutes()...)
 	tsaddr.SortPrefixes(allowed)
 

hscontrol/mapper/tail_test.go

@@ -269,10 +269,13 @@ func TestNodeExpiry(t *testing.T) {
 				GivenName: "test",
 				Expiry:    tt.exp,
 			}
+			polMan, err := policy.NewPolicyManager(nil, nil, nil)
+			require.NoError(t, err)
+
 			tn, err := tailNode(
 				node,
 				0,
-				nil, // TODO(kradalby): removed in merge but error?
+				polMan,
 				nil,
 				&types.Config{},
 			)