policy/v2: refactor alias resolution to use ResolvedAddresses

Introduce ResolvedAddresses type for structured IP set results. Refactor all Alias.Resolve() methods to return ResolvedAddresses instead of raw IPSets. Restrict identity-based aliases to matching address families, fix nil dereferences in partial resolution paths, and update test expectations for the new IP format (bare IPs, IP ranges instead of CIDR prefixes). Updates #2180
2026-04-10 11:14:21 +02:00 · 2026-03-04 16:16:40 +01:00
parent 0fa9dcaff8
commit 9f7aa55689
9 changed files with 724 additions and 378 deletions
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@@ -300,9 +300,22 @@ func (node *Node) InIPSet(set *netipx.IPSet) bool {
 // AppendToIPSet adds the individual ips in NodeAddresses to a
 // given netipx.IPSetBuilder.
 func (node *Node) AppendToIPSet(build *netipx.IPSetBuilder) {
-	for _, ip := range node.IPs() {
-		build.Add(ip)
+	if node.IPv4 != nil {
+		build.Add(*node.IPv4)
+		return
 	}
+
+	if node.IPv6 != nil {
+		build.Add(*node.IPv6)
+	}
+
+	// TODO(kradalby): Evaluate what we want to do here:
+	// Tailscale only adds the IPv4 addresses to any packet filter rule that is resolved to a given node.
+	// Presumably, it will add the IPv4 if a node does not have an IPv4.
+	// Until this change, we always added both, and that might be something people are dependent on, and we might want to keep it.
+	// for _, ip := range node.IPs() {
+	// 	build.Add(ip)
+	// }
 }

 func (node *Node) CanAccess(matchers []matcher.Match, node2 *Node) bool {