Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reducing filter rules breaks exit node access #1786

Closed
2 tasks
TotoTheDragon opened this issue Feb 19, 2024 · 9 comments · Fixed by #1917
Closed
2 tasks

Reducing filter rules breaks exit node access #1786

TotoTheDragon opened this issue Feb 19, 2024 · 9 comments · Fixed by #1917
Labels
bug Something isn't working
Milestone
v0.23.0

Comments

@TotoTheDragon
Copy link
Contributor

Bug description

When setting up an ACL to allow access to a exit node, the access rules can be reduced because the ips defined are not in use by the network or routes.

Environment

  • OS: N/A
  • Headscale version:
  • Tailscale version: N/A
  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

To Reproduce

Logs and attachments

Trying to create the following setup:

  • user1-user3 are part of the group "team"
  • user "internal" contains internal services/servers
  • "internal" should not be able to access anything
  • "team" should be able to access all of "internal"
  • "team" members should be able to access all own devices but not other users
  • "internal" contains multiple exit nodes

If I just use the following ACL, the "team" members are able to successfully access all "internal" devices. However when trying to use a exit node inside "internal" it is not possible to ping/access any devices outside the tailscale network.

{ "action": "accept", "src": ["group:team"], "dst": ["internal:*"] },

{
  "groups": {
    "group:team": ["user3", "user2", "user1"]
  },
  "acls": [
    { "action": "accept", "src": ["group:team"], "dst": ["internal:*"] },
    {
      "action": "accept",
      "src": ["group:team"],
      "dst": [ "0.0.0.0/5:*",
               "8.0.0.0/7:*",
               "11.0.0.0/8:*",
               "12.0.0.0/6:*",
               "16.0.0.0/4:*",
               "32.0.0.0/3:*",
               "64.0.0.0/2:*",
               "128.0.0.0/3:*",
               "160.0.0.0/5:*",
               "168.0.0.0/6:*",
               "172.0.0.0/12:*",
               "172.32.0.0/11:*",
               "172.64.0.0/10:*",
               "172.128.0.0/9:*",
               "173.0.0.0/8:*",
               "174.0.0.0/7:*",
               "176.0.0.0/4:*",
               "192.0.0.0/9:*",
               "192.128.0.0/11:*",
               "192.160.0.0/13:*",
               "192.169.0.0/16:*",
               "192.170.0.0/15:*",
               "192.172.0.0/14:*",
               "192.176.0.0/12:*",
               "192.192.0.0/10:*",
               "193.0.0.0/8:*",
               "194.0.0.0/7:*",
               "196.0.0.0/6:*",
               "200.0.0.0/5:*",
               "208.0.0.0/4:*"
              ]
    },
    { "action": "accept", "src": ["user3"], "dst": ["user3:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] },
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] }
  ]
}
@TotoTheDragon TotoTheDragon added the bug Something isn't working label Feb 19, 2024
@TotoTheDragon
Copy link
Contributor Author

Some options to improve this:

  • Add more tests for reducing filter rules, then amend the function so it passes

  • Support autogroup:internet

@TotoTheDragon
Copy link
Contributor Author

headscale/hscontrol/policy/acls.go

Line 262 in 7a920ee

if expanded.ContainsPrefix(routableIP) {

I believe expanded and routeableIP might have to be switched here

@ml-mf
Copy link

ml-mf commented Mar 1, 2024
edited
Loading

headscale/hscontrol/policy/acls.go

Line 262 in 7a920ee

if expanded.ContainsPrefix(routableIP) {

I believe expanded and routeableIP might have to be switched here

Can't we just check if a node is considered an exit node and allow exit nodes to accept all routable IPs? Or am I missing something here?

@TotoTheDragon
Copy link
Contributor Author

headscale/hscontrol/policy/acls.go

Line 262 in 7a920ee

if expanded.ContainsPrefix(routableIP) {

I believe expanded and routeableIP might have to be switched here

Can't we just check if a node is considered an exit node and allow exit nodes to accept all routable IPs? Or am I missing something here?

Yes, but that leaves the same issue for things that arent exit nodes but have some sort of overlap. So instead we want to use the overlaps function

@kradalby kradalby added this to the v0.23.0 milestone Mar 4, 2024
@kradalby
Copy link
Collaborator

kradalby commented Mar 4, 2024

Sorry, I've missed this, I think it makes sense to expand this to ensure it doesnt remove the routes, I think both autogroup:internet and more tests (which I am always for) sounds sensible to start with.

I've added this to the 0.23.0 milestone

@winterheart winterheart mentioned this issue Mar 7, 2024
Closed
2 tasks
@kfkawalec
Copy link

There is a way to fix this problem without:
{ "action": "accept", "src": [""], "dst": [":*"] },

@ml-mf
Copy link

ml-mf commented Apr 29, 2024

There is a way to fix this problem without: { "action": "accept", "src": [""], "dst": [":*"] },

Can you elaborate on this a little more? I don't get how you think you solved this?

kradalby added a commit to kradalby/headscale that referenced this issue Apr 29, 2024
@kradalby
add tests to reproduce juanfont#1786
e0134ea 
Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby kradalby mentioned this issue Apr 29, 2024
Merged
kradalby added a commit to kradalby/headscale that referenced this issue Apr 29, 2024
@kradalby
add autogroup:internet
1561838 
Updates juanfont#657
Updates juanfont#1786

Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby
Copy link
Collaborator

This should be addressed in #1917, it also addresses #1817.

If any have the opportunity to test it before it gets merged that would be great!

@kradalby
Copy link
Collaborator

This issue should now have been addressed in https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha10, please let me know

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v0.23.0
Development

Successfully merging a pull request may close this issue.

add autogroup:internet, fix reduce filter rules kradalby/headscale
4 participants
@kradalby @kfkawalec @TotoTheDragon @ml-mf