From 28be15f8ead74d01536b085c22bf8e4b5bd01cab Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Sun, 22 Mar 2026 20:42:30 +0000
Subject: [PATCH] policy/v2: handle autogroup:internet in via grant compilation

compileViaGrant only handled *Prefix destinations, skipping
*AutoGroup entirely. This meant via grants with
dst=[autogroup:internet] produced no filter rules even when the
node was an exit node with approved exit routes.

Switch the destination loop from a type assertion to a type switch
that handles both *Prefix (subnet routes) and *AutoGroup (exit
routes via autogroup:internet). Also check ExitRoutes() in
addition to SubnetRoutes() so the function doesn't bail early
when a node only has exit routes.

Updates #2180
---
 hscontrol/policy/v2/filter.go | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/hscontrol/policy/v2/filter.go b/hscontrol/policy/v2/filter.go
index 27590d90..df2b6826 100644
--- a/hscontrol/policy/v2/filter.go
+++ b/hscontrol/policy/v2/filter.go
@@ -344,9 +344,11 @@ func (pol *Policy) compileViaGrant(
 		return nil, nil
 	}
 
-	// Find which grant destination subnets this node actually advertises.
-	nodeRoutes := node.SubnetRoutes()
-	if len(nodeRoutes) == 0 {
+	// Find which grant destination subnets/exit routes this node actually advertises.
+	nodeSubnetRoutes := node.SubnetRoutes()
+	nodeExitRoutes := node.ExitRoutes()
+
+	if len(nodeSubnetRoutes) == 0 && len(nodeExitRoutes) == 0 {
 		return nil, nil
 	}
 
@@ -354,14 +356,16 @@ func (pol *Policy) compileViaGrant(
 	var viaDstPrefixes []netip.Prefix
 
 	for _, dst := range grant.Destinations {
-		p, ok := dst.(*Prefix)
-		if !ok {
-			continue
-		}
-
-		dstPrefix := netip.Prefix(*p)
-		if slices.Contains(nodeRoutes, dstPrefix) {
-			viaDstPrefixes = append(viaDstPrefixes, dstPrefix)
+		switch d := dst.(type) {
+		case *Prefix:
+			dstPrefix := netip.Prefix(*d)
+			if slices.Contains(nodeSubnetRoutes, dstPrefix) {
+				viaDstPrefixes = append(viaDstPrefixes, dstPrefix)
+			}
+		case *AutoGroup:
+			if d.Is(AutoGroupInternet) && len(nodeExitRoutes) > 0 {
+				viaDstPrefixes = append(viaDstPrefixes, nodeExitRoutes...)
+			}
 		}
 	}