types: Distinguish subnet and exit node access

When we fixed the issue of node visibility of nodes that only had access to eachother because of a subnet route, we gave all nodes access to all exit routes by accident. This commit splits exit nodes and subnet routes in the access. If a matcher indicates that the node should have access to any part of the subnet routes, we do not remove it from the node list. If a matcher destination is equal to the internet, and the target node is an exit node, we also do not remove the access. Fixes #2784 Fixes #2788 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2026-01-23 02:24:10 +00:00 · 2025-11-01 14:29:50 +01:00 · 2025-11-01 14:29:50 +01:00 · 2024219bd1
commit 2024219bd1
parent d9c3eaf8c8
1 changed files with 7 additions and 0 deletions
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@ -319,9 +319,16 @@ func (node *Node) CanAccess(matchers []matcher.Match, node2 *Node) bool {
 			return true
 		}

+		// Check if the node has access to routes that might be part of a
+		// smaller subnet that is served from node2 as a subnet router.
 		if matcher.DestsOverlapsPrefixes(node2.SubnetRoutes()...) {
 			return true
 		}
+
+		// If the dst is "the internet" and node2 is an exit node, allow access.
+		if matcher.DestsIsTheInternet() && node2.IsExitNode() {
+			return true
+		}
 	}

 	return false