policy/v2,state,mapper: implement per-viewer via route steering

Via grants steer routes to specific nodes per viewer. Until now, all clients saw the same routes for each peer because route assembly was viewer-independent. This implements per-viewer route visibility so that via-designated peers serve routes only to matching viewers, while non-designated peers have those routes withdrawn. Add ViaRouteResult type (Include/Exclude prefix lists) and ViaRoutesForPeer to the PolicyManager interface. The v2 implementation iterates via grants, resolves sources against the viewer, matches destinations against the peer's advertised routes (both subnet and exit), and categorizes prefixes by whether the peer has the via tag. Add RoutesForPeer to State which composes global primary election, via Include/Exclude filtering, exit routes, and ACL reduction. When no via grants exist, it falls back to existing behavior. Update the mapper to call RoutesForPeer per-peer instead of using a single route function for all peers. The route function now returns all routes (subnet + exit), and TailNode filters exit routes out of the PrimaryRoutes field for HA tracking. Updates #2180
2026-04-19 15:21:35 +02:00 · 2026-03-22 20:43:28 +00:00
parent 66ac9a26ff
commit aed573e813
6 changed files with 182 additions and 14 deletions
--- a/hscontrol/mapper/builder.go
+++ b/hscontrol/mapper/builder.go
@@ -2,6 +2,7 @@ package mapper

 import (
 	"net/netip"
+	"slices"
 	"sort"
 	"time"

@@ -78,7 +79,10 @@ func (b *MapResponseBuilder) WithSelfNode() *MapResponseBuilder {
 	tailnode, err := nv.TailNode(
 		b.capVer,
 		func(id types.NodeID) []netip.Prefix {
-			return policy.ReduceRoutes(nv, b.mapper.state.GetNodePrimaryRoutes(id), matchers)
+			// Self node: include own primaries + exit routes (no via steering for self).
+			primaries := policy.ReduceRoutes(nv, b.mapper.state.GetNodePrimaryRoutes(id), matchers)
+
+			return slices.Concat(primaries, nv.ExitRoutes())
 		},
 		b.mapper.cfg)
 	if err != nil {
@@ -251,14 +255,18 @@ func (b *MapResponseBuilder) buildTailPeers(peers views.Slice[types.NodeView]) (
 		changedViews = peers
 	}

-	tailPeers, err := types.TailNodes(
-		changedViews, b.capVer,
-		func(id types.NodeID) []netip.Prefix {
-			return policy.ReduceRoutes(node, b.mapper.state.GetNodePrimaryRoutes(id), matchers)
-		},
-		b.mapper.cfg)
-	if err != nil {
-		return nil, err
+	// Build tail nodes with per-peer via-aware route function.
+	tailPeers := make([]*tailcfg.Node, 0, changedViews.Len())
+
+	for _, peer := range changedViews.All() {
+		tn, err := peer.TailNode(b.capVer, func(_ types.NodeID) []netip.Prefix {
+			return b.mapper.state.RoutesForPeer(node, peer, matchers)
+		}, b.mapper.cfg)
+		if err != nil {
+			return nil, err
+		}
+
+		tailPeers = append(tailPeers, tn)
 	}

 	// Peers is always returned sorted by Node.ID.
--- a/hscontrol/mapper/tail_test.go
+++ b/hscontrol/mapper/tail_test.go
@@ -3,6 +3,7 @@ package mapper
 import (
 	"encoding/json"
 	"net/netip"
+	"slices"
 	"testing"
 	"time"

@@ -214,10 +215,13 @@ func TestTailNode(t *testing.T) {
 			// This is a hack to avoid having a second node to test the primary route.
 			// This should be baked into the test case proper if it is extended in the future.
 			_ = primary.SetRoutes(2, netip.MustParsePrefix("192.168.0.0/24"))
-			got, err := tt.node.View().TailNode(
+			nv := tt.node.View()
+			got, err := nv.TailNode(
 				0,
 				func(id types.NodeID) []netip.Prefix {
-					return primary.PrimaryRoutes(id)
+					// Route function returns primaries + exit routes
+					// (matching the real caller contract).
+					return slices.Concat(primary.PrimaryRoutes(id), nv.ExitRoutes())
 				},
 				cfg,
 			)