ipn/ipnlocal: use node peer caps for ingress

Author: ryantm

ipn/ipnlocal/node_backend.go

@@ -295,14 +295,6 @@ func (nb *nodeBackend) PeerCaps(src netip.Addr) tailcfg.PeerCapMap {
 	return nb.peerCapsLocked(src)
 }
 
-// peerCapsForService returns the capabilities that remote src IP has to the
-// specified VIP service hosted by this node.
-func (nb *nodeBackend) peerCapsForService(src netip.Addr, serviceName tailcfg.ServiceName) tailcfg.PeerCapMap {
-	nb.mu.Lock()
-	defer nb.mu.Unlock()
-	return nb.peerCapsForServiceLocked(src, serviceName)
-}
-
 func (nb *nodeBackend) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
 	if nb.netMap == nil {
 		return nil
@@ -325,26 +317,6 @@ func (nb *nodeBackend) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
 	return nil
 }
 
-func (nb *nodeBackend) peerCapsForServiceLocked(src netip.Addr, serviceName tailcfg.ServiceName) tailcfg.PeerCapMap {
-	if nb.netMap == nil || serviceName == "" {
-		return nil
-	}
-	filt := nb.filterAtomic.Load()
-	if filt == nil {
-		return nil
-	}
-	serviceIPMap := nb.netMap.GetVIPServiceIPMap()
-	if len(serviceIPMap) == 0 {
-		return nil
-	}
-	for _, dst := range serviceIPMap[serviceName] {
-		if dst.BitLen() == src.BitLen() { // match on family
-			return filt.CapsWithValues(src, dst)
-		}
-	}
-	return nil
-}
-
 // PeerHasCap reports whether the peer contains the given capability string,
 // with any value(s).
 func (nb *nodeBackend) PeerHasCap(peer tailcfg.NodeView, wantCap tailcfg.PeerCapability) bool {

ipn/ipnlocal/serve.go

@@ -1101,12 +1101,7 @@ func (b *LocalBackend) addAppCapabilitiesHeader(r *httputil.ProxyRequest) error
 	if acceptCaps.IsNil() {
 		return nil
 	}
-	var peerCaps tailcfg.PeerCapMap
-	if c.ForVIPService != "" {
-		peerCaps = b.currentNode().peerCapsForService(c.SrcAddr.Addr(), c.ForVIPService)
-	} else {
-		peerCaps = b.PeerCaps(c.SrcAddr.Addr())
-	}
+	peerCaps := b.PeerCaps(c.SrcAddr.Addr())
 	if peerCaps == nil {
 		return nil
 	}

ipn/ipnlocal/serve_test.go

@@ -1012,26 +1012,13 @@ func TestServeHTTPProxyGrantHeader(t *testing.T) {
 func TestServeHTTPProxyGrantHeaderForVIPService(t *testing.T) {
 	b := newTestBackend(t)
 
-	svcIPMapJSON, err := json.Marshal(tailcfg.ServiceIPMappings{
-		"svc:foo": {netip.MustParseAddr("100.101.101.101")},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
 	nm := b.NetMap()
-	self := nm.SelfNode.AsStruct()
-	self.CapMap = tailcfg.NodeCapMap{
-		tailcfg.NodeAttrServiceHost: []tailcfg.RawMessage{tailcfg.RawMessage(svcIPMapJSON)},
-	}
-	nm.SelfNode = self.View()
-
 	matches, err := filter.MatchesFromFilterRules([]tailcfg.FilterRule{
 		{
 			SrcIPs: []string{"100.150.151.152"},
 			CapGrant: []tailcfg.CapGrant{{
 				Dsts: []netip.Prefix{
-					netip.MustParsePrefix("100.101.101.101/32"),
+					netip.MustParsePrefix("100.150.151.151/32"),
 				},
 				CapMap: tailcfg.PeerCapMap{
 					"example.com/cap/interesting": []tailcfg.RawMessage{
@@ -1044,7 +1031,7 @@ func TestServeHTTPProxyGrantHeaderForVIPService(t *testing.T) {
 			SrcIPs: []string{"100.150.151.153"},
 			CapGrant: []tailcfg.CapGrant{{
 				Dsts: []netip.Prefix{
-					netip.MustParsePrefix("100.101.101.101/32"),
+					netip.MustParsePrefix("100.150.151.151/32"),
 				},
 				CapMap: tailcfg.PeerCapMap{
 					"example.com/cap/boring": []tailcfg.RawMessage{