maybe only return ipv4? not always?

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

hscontrol/types/node.go

@@ -300,9 +300,22 @@ func (node *Node) InIPSet(set *netipx.IPSet) bool {
 // AppendToIPSet adds the individual ips in NodeAddresses to a
 // given netipx.IPSetBuilder.
 func (node *Node) AppendToIPSet(build *netipx.IPSetBuilder) {
-	for _, ip := range node.IPs() {
-		build.Add(ip)
+	if node.IPv4 != nil {
+		build.Add(*node.IPv4)
+		return
 	}
+
+	if node.IPv6 != nil {
+		build.Add(*node.IPv6)
+	}
+
+	// TODO(kradalby): Evaluate what we want to do here:
+	// Tailscale only adds the IPv4 addresses to any packet filter rule that is resolved to a given node.
+	// Presumably, it will add the IPv4 if a node does not have an IPv4.
+	// Until this change, we always added both, and that might be something people are dependent on, and we might want to keep it.
+	// for _, ip := range node.IPs() {
+	// 	build.Add(ip)
+	// }
 }
 
 func (node *Node) CanAccess(matchers []matcher.Match, node2 *Node) bool {