policy/v2: handle autogroup:internet in via grant compilation

compileViaGrant only handled *Prefix destinations, skipping
*AutoGroup entirely. This meant via grants with
dst=[autogroup:internet] produced no filter rules even when the
node was an exit node with approved exit routes.

Switch the destination loop from a type assertion to a type switch
that handles both *Prefix (subnet routes) and *AutoGroup (exit
routes via autogroup:internet). Also check ExitRoutes() in
addition to SubnetRoutes() so the function doesn't bail early
when a node only has exit routes.

Updates #2180

hscontrol/policy/v2/filter.go

@@ -344,9 +344,11 @@ func (pol *Policy) compileViaGrant(
 		return nil, nil
 	}
 
-	// Find which grant destination subnets this node actually advertises.
+	// Find which grant destination subnets/exit routes this node actually advertises.
-	nodeRoutes := node.SubnetRoutes()
+	nodeSubnetRoutes := node.SubnetRoutes()
-	if len(nodeRoutes) == 0 {
+	nodeExitRoutes := node.ExitRoutes()
+
+	if len(nodeSubnetRoutes) == 0 && len(nodeExitRoutes) == 0 {
 		return nil, nil
 	}
 
@@ -354,14 +356,16 @@ func (pol *Policy) compileViaGrant(
 	var viaDstPrefixes []netip.Prefix
 
 	for _, dst := range grant.Destinations {
-		p, ok := dst.(*Prefix)
+		switch d := dst.(type) {
-		if !ok {
+		case *Prefix:
-			continue
+			dstPrefix := netip.Prefix(*d)
-		}
+			if slices.Contains(nodeSubnetRoutes, dstPrefix) {
-
+				viaDstPrefixes = append(viaDstPrefixes, dstPrefix)
-		dstPrefix := netip.Prefix(*p)
+			}
-		if slices.Contains(nodeRoutes, dstPrefix) {
+		case *AutoGroup:
-			viaDstPrefixes = append(viaDstPrefixes, dstPrefix)
+			if d.Is(AutoGroupInternet) && len(nodeExitRoutes) > 0 {
+				viaDstPrefixes = append(viaDstPrefixes, nodeExitRoutes...)
+			}
 		}
 	}