policy/v2: handle autogroup:internet in via grant compilation

compileViaGrant only handled *Prefix destinations, skipping *AutoGroup entirely. This meant via grants with dst=[autogroup:internet] produced no filter rules even when the node was an exit node with approved exit routes. Switch the destination loop from a type assertion to a type switch that handles both *Prefix (subnet routes) and *AutoGroup (exit routes via autogroup:internet). Also check ExitRoutes() in addition to SubnetRoutes() so the function doesn't bail early when a node only has exit routes. Updates #2180
2026-04-07 21:47:46 +09:00 · 2026-03-22 20:42:30 +00:00
parent 687cf0882f
commit 28be15f8ea
1 changed files with 15 additions and 11 deletions
--- a/hscontrol/policy/v2/filter.go
+++ b/hscontrol/policy/v2/filter.go
@@ -344,9 +344,11 @@ func (pol *Policy) compileViaGrant(
 		return nil, nil
 	}

-	// Find which grant destination subnets this node actually advertises.
-	nodeRoutes := node.SubnetRoutes()
-	if len(nodeRoutes) == 0 {
+	// Find which grant destination subnets/exit routes this node actually advertises.
+	nodeSubnetRoutes := node.SubnetRoutes()
+	nodeExitRoutes := node.ExitRoutes()
+
+	if len(nodeSubnetRoutes) == 0 && len(nodeExitRoutes) == 0 {
 		return nil, nil
 	}

@@ -354,14 +356,16 @@ func (pol *Policy) compileViaGrant(
 	var viaDstPrefixes []netip.Prefix

 	for _, dst := range grant.Destinations {
-		p, ok := dst.(*Prefix)
-		if !ok {
-			continue
-		}
-
-		dstPrefix := netip.Prefix(*p)
-		if slices.Contains(nodeRoutes, dstPrefix) {
-			viaDstPrefixes = append(viaDstPrefixes, dstPrefix)
+		switch d := dst.(type) {
+		case *Prefix:
+			dstPrefix := netip.Prefix(*d)
+			if slices.Contains(nodeSubnetRoutes, dstPrefix) {
+				viaDstPrefixes = append(viaDstPrefixes, dstPrefix)
+			}
+		case *AutoGroup:
+			if d.Is(AutoGroupInternet) && len(nodeExitRoutes) > 0 {
+				viaDstPrefixes = append(viaDstPrefixes, nodeExitRoutes...)
+			}
 		}
 	}