Update packetfilter when peers change

Previously we did not update the packet filter
when nodes changed, which would cause new nodes
to be missing from packet filters of old nodes.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby 2023-08-09 20:37:41 +02:00 committed by Kristoffer Dalby
parent a8079a2096
commit 3b0749a320
2 changed files with 28 additions and 13 deletions

View file

@ -382,28 +382,31 @@ func (m *Mapper) DERPMapResponse(
func (m *Mapper) PeerChangedResponse(
mapRequest tailcfg.MapRequest,
machine *types.Machine,
machineKeys []uint64,
machineIDs []uint64,
pol *policy.ACLPolicy,
) ([]byte, error) {
var err error
changed := make(types.Machines, len(machineKeys))
changed := make(types.Machines, len(machineIDs))
lastSeen := make(map[tailcfg.NodeID]bool)
for idx, machineKey := range machineKeys {
peer, err := m.db.GetMachineByID(machineKey)
peersList, err := m.db.ListPeers(machine)
if err != nil {
return nil, err
}
changed[idx] = *peer
peers := peersList.IDMap()
for idx, machineID := range machineIDs {
changed[idx] = peers[machineID]
// We have just seen the node, let the peers update their list.
lastSeen[tailcfg.NodeID(peer.ID)] = true
lastSeen[tailcfg.NodeID(machineID)] = true
}
rules, _, err := policy.GenerateFilterAndSSHRules(
rules, sshPolicy, err := policy.GenerateFilterAndSSHRules(
pol,
machine,
changed,
peersList,
)
if err != nil {
return nil, err
@ -434,6 +437,8 @@ func (m *Mapper) PeerChangedResponse(
resp := m.baseMapResponse(machine)
resp.PeersChanged = tailPeers
resp.PacketFilter = policy.ReduceFilterRules(machine, rules)
resp.SSHPolicy = sshPolicy
// resp.PeerSeenChange = lastSeen
return m.marshalMapResponse(mapRequest, &resp, machine, mapRequest.Compress)

View file

@ -353,3 +353,13 @@ func (machines MachinesP) String() string {
return fmt.Sprintf("[ %s ](%d)", strings.Join(temp, ", "), len(temp))
}
func (machines Machines) IDMap() map[uint64]Machine {
ret := map[uint64]Machine{}
for _, machine := range machines {
ret[machine.ID] = machine
}
return ret
}