remove policy handling for old capver (#2429)

* remove policy handling for old capver Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * update tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-10-31 16:11:03 +01:00 · 2025-03-10 19:19:25 +01:00 · 2025-03-10 19:19:25 +01:00 · 0b5c29e875
commit 0b5c29e875
parent 0a243b4162
2 changed files with 17 additions and 29 deletions
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@ -555,26 +555,12 @@ func appendPeerChanges(
 	resp.UserProfiles = profiles
 	resp.SSHPolicy = sshPolicy

-	// 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
-	if capVer >= 81 {
-		// Currently, we do not send incremental package filters, however using the
-		// new PacketFilters field and "base" allows us to send a full update when we
-		// have to send an empty list, avoiding the hack in the else block.
-		resp.PacketFilters = map[string][]tailcfg.FilterRule{
-			"base": policy.ReduceFilterRules(node, filter),
-		}
-	} else {
-		// This is a hack to avoid sending an empty list of packet filters.
-		// Since tailcfg.PacketFilter has omitempty, any empty PacketFilter will
-		// be omitted, causing the client to consider it unchanged, keeping the
-		// previous packet filter. Worst case, this can cause a node that previously
-		// has access to a node to _not_ loose access if an empty (allow none) is sent.
-		reduced := policy.ReduceFilterRules(node, filter)
-		if len(reduced) > 0 {
-			resp.PacketFilter = reduced
-		} else {
-			resp.PacketFilter = filter
-		}
+	// CapVer 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
+	// Currently, we do not send incremental package filters, however using the
+	// new PacketFilters field and "base" allows us to send a full update when we
+	// have to send an empty list, avoiding the hack in the else block.
+	resp.PacketFilters = map[string][]tailcfg.FilterRule{
+		"base": policy.ReduceFilterRules(node, filter),
 	}

 	return nil
--- a/hscontrol/mapper/mapper_test.go
+++ b/hscontrol/mapper/mapper_test.go
@ -291,8 +291,8 @@ func Test_fullMapResponse(t *testing.T) {
 						DisplayName: "user1",
 					},
 				},
-				PacketFilter: tailcfg.FilterAllowAll,
-				ControlTime:  &time.Time{},
+				ControlTime:   &time.Time{},
+				PacketFilters: map[string][]tailcfg.FilterRule{"base": tailcfg.FilterAllowAll},
 				Debug: &tailcfg.Debug{
 					DisableLogTail: true,
 				},
@ -326,8 +326,8 @@ func Test_fullMapResponse(t *testing.T) {
 					{ID: tailcfg.UserID(user1.ID), LoginName: "user1", DisplayName: "user1"},
 					{ID: tailcfg.UserID(user2.ID), LoginName: "user2", DisplayName: "user2"},
 				},
-				PacketFilter: tailcfg.FilterAllowAll,
-				ControlTime:  &time.Time{},
+				ControlTime:   &time.Time{},
+				PacketFilters: map[string][]tailcfg.FilterRule{"base": tailcfg.FilterAllowAll},
 				Debug: &tailcfg.Debug{
 					DisableLogTail: true,
 				},
@ -368,11 +368,13 @@ func Test_fullMapResponse(t *testing.T) {
 				DNSConfig:       &tailcfg.DNSConfig{},
 				Domain:          "",
 				CollectServices: "false",
-				PacketFilter: []tailcfg.FilterRule{
-					{
-						SrcIPs: []string{"100.64.0.2/32"},
-						DstPorts: []tailcfg.NetPortRange{
-							{IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny},
+				PacketFilters: map[string][]tailcfg.FilterRule{
+					"base": {
+						{
+							SrcIPs: []string{"100.64.0.2/32"},
+							DstPorts: []tailcfg.NetPortRange{
+								{IP: "100.64.0.1/32", Ports: tailcfg.PortRangeAny},
+							},
 						},
 					},
 				},