juanfont · kradalby · Oct 23, 2025 · Oct 21, 2025 · Oct 21, 2025 · Oct 22, 2025
@@ -28,6 +28,7 @@ jobs:
           - TestAPIAuthenticationBypassCurl
           - TestGRPCAuthenticationBypass
           - TestCLIWithConfigAuthenticationBypass
+          - TestACLPolicyPropagationOverTime
           - TestAuthKeyLogoutAndReloginSameUser
           - TestAuthKeyLogoutAndReloginNewUser
           - TestAuthKeyLogoutAndReloginSameUserExpiredKey

@@ -81,7 +81,7 @@ func extractDirectoryFromTar(tarReader io.Reader, targetDir string) error {
 			if err := os.MkdirAll(filepath.Dir(targetPath), 0o755); err != nil {
 				return fmt.Errorf("failed to create parent directories for %s: %w", targetPath, err)
 			}
-			
+
 			// Create file
 			outFile, err := os.Create(targetPath)
 			if err != nil {

@@ -1,6 +1,6 @@
 package capver
 
-//Generated DO NOT EDIT
+// Generated DO NOT EDIT
 
 import "tailscale.com/tailcfg"
 
@@ -37,16 +37,15 @@ var tailscaleToCapVer = map[string]tailcfg.CapabilityVersion{
 	"v1.84.2": 116,
 }
 
-
 var capVerToTailscaleVer = map[tailcfg.CapabilityVersion]string{
-	90:		"v1.64.0",
-	95:		"v1.66.0",
-	97:		"v1.68.0",
-	102:		"v1.70.0",
-	104:		"v1.72.0",
-	106:		"v1.74.0",
-	109:		"v1.78.0",
-	113:		"v1.80.0",
-	115:		"v1.82.0",
-	116:		"v1.84.0",
+	90:  "v1.64.0",
+	95:  "v1.66.0",
+	97:  "v1.68.0",
+	102: "v1.70.0",
+	104: "v1.72.0",
+	106: "v1.74.0",
+	109: "v1.78.0",
+	113: "v1.80.0",
+	115: "v1.82.0",
+	116: "v1.84.0",
 }
@@ -185,7 +185,6 @@ func TestShuffleDERPMapDeterministic(t *testing.T) {
 			}
 		})
 	}
-
 }
 
 func TestShuffleDERPMapEdgeCases(t *testing.T) {

@@ -73,7 +73,6 @@ func (b *LockFreeBatcher) AddNode(id types.NodeID, c chan<- *tailcfg.MapResponse
 
 	// Use the worker pool for controlled concurrency instead of direct generation
 	initialMap, err := b.MapResponseFromChange(id, change.FullSelf(id))
-
 	if err != nil {
 		log.Error().Uint64("node.id", id.Uint64()).Err(err).Msg("Initial map generation failed")
 		nodeConn.removeConnectionByChannel(c)

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/juanfont/headscale/hscontrol/policy"
-	"github.com/juanfont/headscale/hscontrol/policy/matcher"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/views"
@@ -181,6 +180,9 @@ func (b *MapResponseBuilder) WithPacketFilters() *MapResponseBuilder {
 		return b
 	}
 
+	// FilterForNode returns rules already reduced to only those relevant for this node.
+	// For autogroup:self policies, it returns per-node compiled rules.
+	// For global policies, it returns the global filter reduced for this node.
 	filter, err := b.mapper.state.FilterForNode(node)
 	if err != nil {
 		b.addError(err)
@@ -192,7 +194,7 @@ func (b *MapResponseBuilder) WithPacketFilters() *MapResponseBuilder {
 	// new PacketFilters field and "base" allows us to send a full update when we
 	// have to send an empty list, avoiding the hack in the else block.
 	b.resp.PacketFilters = map[string][]tailcfg.FilterRule{
-		"base": policy.ReduceFilterRules(node, filter),
+		"base": filter,
 	}
 
 	return b
@@ -231,18 +233,19 @@ func (b *MapResponseBuilder) buildTailPeers(peers views.Slice[types.NodeView]) (
 		return nil, errors.New("node not found")
 	}
 
-	// Use per-node filter to handle autogroup:self
-	filter, err := b.mapper.state.FilterForNode(node)
+	// Get unreduced matchers for peer relationship determination.
+	// MatchersForNode returns unreduced matchers that include all rules where the node
+	// could be either source or destination. This is different from FilterForNode which
+	// returns reduced rules for packet filtering (only rules where node is destination).
+	matchers, err := b.mapper.state.MatchersForNode(node)
 	if err != nil {
 		return nil, err
 	}
 
-	matchers := matcher.MatchesFromFilterRules(filter)
-
 	// If there are filter rules present, see if there are any nodes that cannot
 	// access each-other at all and remove them from the peers.
 	var changedViews views.Slice[types.NodeView]
-	if len(filter) > 0 {
+	if len(matchers) > 0 {
 		changedViews = policy.ReduceNodes(node, peers, matchers)
 	} else {
 		changedViews = peers

@@ -15,6 +15,10 @@ type PolicyManager interface {
 	Filter() ([]tailcfg.FilterRule, []matcher.Match)
 	// FilterForNode returns filter rules for a specific node, handling autogroup:self
 	FilterForNode(node types.NodeView) ([]tailcfg.FilterRule, error)
+	// MatchersForNode returns matchers for peer relationship determination (unreduced)
+	MatchersForNode(node types.NodeView) ([]matcher.Match, error)
+	// BuildPeerMap constructs peer relationship maps for the given nodes
+	BuildPeerMap(nodes views.Slice[types.NodeView]) map[types.NodeID][]types.NodeView
 	SSHPolicy(types.NodeView) (*tailcfg.SSHPolicy, error)
 	SetPolicy([]byte) (bool, error)
 	SetUsers(users []types.User) (bool, error)

@@ -10,7 +10,6 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/samber/lo"
 	"tailscale.com/net/tsaddr"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/views"
 )
 
@@ -79,66 +78,6 @@ func BuildPeerMap(
 	return ret
 }
 
-// ReduceFilterRules takes a node and a set of rules and removes all rules and destinations
-// that are not relevant to that particular node.
-func ReduceFilterRules(node types.NodeView, rules []tailcfg.FilterRule) []tailcfg.FilterRule {
-	ret := []tailcfg.FilterRule{}
-
-	for _, rule := range rules {
-		// record if the rule is actually relevant for the given node.
-		var dests []tailcfg.NetPortRange
-	DEST_LOOP:
-		for _, dest := range rule.DstPorts {
-			expanded, err := util.ParseIPSet(dest.IP, nil)
-			// Fail closed, if we can't parse it, then we should not allow
-			// access.
-			if err != nil {
-				continue DEST_LOOP
-			}
-
-			if node.InIPSet(expanded) {
-				dests = append(dests, dest)
-				continue DEST_LOOP
-			}
-
-			// If the node exposes routes, ensure they are note removed
-			// when the filters are reduced.
-			if node.Hostinfo().Valid() {
-				routableIPs := node.Hostinfo().RoutableIPs()
-				if routableIPs.Len() > 0 {
-					for _, routableIP := range routableIPs.All() {
-						if expanded.OverlapsPrefix(routableIP) {
-							dests = append(dests, dest)
-							continue DEST_LOOP
-						}
-					}
-				}
-			}
-
-			// Also check approved subnet routes - nodes should have access
-			// to subnets they're approved to route traffic for.
-			subnetRoutes := node.SubnetRoutes()
-
-			for _, subnetRoute := range subnetRoutes {
-				if expanded.OverlapsPrefix(subnetRoute) {
-					dests = append(dests, dest)
-					continue DEST_LOOP
-				}
-			}
-		}
-
-		if len(dests) > 0 {
-			ret = append(ret, tailcfg.FilterRule{
-				SrcIPs:   rule.SrcIPs,
-				DstPorts: dests,
-				IPProto:  rule.IPProto,
-			})
-		}
-	}
-
-	return ret
-}
-
 // ApproveRoutesWithPolicy checks if the node can approve the announced routes
 // and returns the new list of approved routes.
 // The approved routes will include:
-Original file line number
+Diff line change
@@ Expand Up / @@ -185,7 +185,6 @@ func TestShuffleDERPMapDeterministic(t *testing.T) { @@
     			}
     		})
     	}
     }
     func TestShuffleDERPMapEdgeCases(t *testing.T) {
@@ Expand Down @@