From b5be2ef2d48dedc182995956b412f1fd8956813b Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Wed, 5 Jul 2023 17:21:26 +0200
Subject: [PATCH] dont update change nodes we cant access

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 hscontrol/mapper/mapper.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/hscontrol/mapper/mapper.go b/hscontrol/mapper/mapper.go
index 884dd3f366a..819a7fb4c3d 100644
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@@ -341,6 +341,26 @@ func (m Mapper) PeerChangedResponse(
 		lastSeen[tailcfg.NodeID(peer.ID)] = true
 	}
 
+	rules, _, err := policy.GenerateFilterAndSSHRules(
+		pol,
+		machine,
+		changed,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	// Filter out peers that have expired.
+	changed = lo.Filter(changed, func(item types.Machine, index int) bool {
+		return !item.IsExpired()
+	})
+
+	// If there are filter rules present, see if there are any machines that cannot
+	// access eachother at all and remove them from the changed.
+	if len(rules) > 0 {
+		changed = policy.FilterMachinesByACL(machine, changed, rules)
+	}
+
 	tailPeers, err := tailNodes(changed, pol, m.dnsCfg, m.baseDomain)
 	if err != nil {
 		return nil, err