mirror of
https://github.com/juanfont/headscale
synced 2026-04-25 17:15:33 +02:00
reduceCapGrantRule was dropping rules whose CapGrant IPs overlap a subnet route; treat subnet routes as part of node identity so those rules survive reduction. ReduceFilterRules now also reduces route-reachable destinations. Updates #3157
10 lines
428 B
Go
10 lines
428 B
Go
// Package policyutil contains pure functions that transform compiled
|
|
// policy rules for a specific node. The headline function is
|
|
// ReduceFilterRules, which filters global rules down to those relevant
|
|
// to one node.
|
|
//
|
|
// A node's SubnetRoutes (approved, non-exit) participate in rule
|
|
// matching so subnet routers receive filter rules for destinations
|
|
// their subnets cover — the fix for issue #3169.
|
|
package policyutil
|