mirror of
https://github.com/juanfont/headscale.git
synced 2026-04-08 05:57:46 +09:00
ccd284c0a5
Via grants compile filter rules that depend on the node's route state (SubnetRoutes, ExitRoutes). Without per-node compilation, these rules were only included in the global filter path which explicitly skips via grants (compileFilterRules skips grants with non-empty Via fields). Add a needsPerNodeFilter flag that is true when the policy uses either autogroup:self or via grants. filterForNodeLocked now uses this flag instead of usesAutogroupSelf alone, ensuring via grant rules are compiled per-node through compileFilterRulesForNode/compileViaGrant. The filter cache also needs to account for route-dependent compilation: - nodesHavePolicyAffectingChanges now treats route changes as policy-affecting when needsPerNodeFilter is true, so SetNodes triggers updateLocked and clears caches through the normal flow. - invalidateGlobalPolicyCache now clears compiledFilterRulesMap (the unreduced per-node cache) alongside filterRulesMap when needsPerNodeFilter is true and routes changed. Updates #2180