dont update change nodes we cant access

Signed-off-by: Kristoffer Dalby <[email protected]>
juanfont · Jul 5, 2023 · b5be2ef · b5be2ef
1 parent 03369f0
commit b5be2ef
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go
@@ -341,6 +341,26 @@ func (m Mapper) PeerChangedResponse(
 		lastSeen[tailcfg.NodeID(peer.ID)] = true
 	}
 
+	rules, _, err := policy.GenerateFilterAndSSHRules(
+		pol,
+		machine,
+		changed,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	// Filter out peers that have expired.
+	changed = lo.Filter(changed, func(item types.Machine, index int) bool {
+		return !item.IsExpired()
+	})
+
+	// If there are filter rules present, see if there are any machines that cannot
+	// access eachother at all and remove them from the changed.
+	if len(rules) > 0 {
+		changed = policy.FilterMachinesByACL(machine, changed, rules)
+	}
+
 	tailPeers, err := tailNodes(changed, pol, m.dnsCfg, m.baseDomain)
 	if err != nil {
 		return nil, err