policy: reduce routes based on policy

Fixes #2365 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2026-04-01 15:03:23 +02:00 · 2025-05-03 10:11:30 +02:00
parent 388bf5c7b9
commit 0d17cdd8cb
9 changed files with 269 additions and 10 deletions
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@@ -291,6 +291,22 @@ func (node *Node) CanAccess(matchers []matcher.Match, node2 *Node) bool {
 	return false
 }

+func (node *Node) CanAccessRoute(matchers []matcher.Match, route netip.Prefix) bool {
+	src := node.IPs()
+
+	for _, matcher := range matchers {
+		if !matcher.SrcsContainsIPs(src...) {
+			continue
+		}
+
+		if matcher.DestsOverlapsPrefixes(route) {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (nodes Nodes) FilterByIP(ip netip.Addr) Nodes {
 	var found Nodes