Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

headscale 0.23.0-alpha5 ignores /32 masks in ACLs #1817

Closed
2 tasks
winterheart opened this issue Mar 7, 2024 · 3 comments · Fixed by #1917
Closed
2 tasks

headscale 0.23.0-alpha5 ignores /32 masks in ACLs #1817

winterheart opened this issue Mar 7, 2024 · 3 comments · Fixed by #1917
Labels
bug Something isn't working
Milestone
v0.23.0

Comments

@winterheart
Copy link
Contributor

Bug description

We have tailnet network with node1 as subnet router to 172.16.0.0/24 network.

After updating to 0.23.0-alpha5 some of our users lost access to resources provided by ACL. Here short example of acl.yaml:

groups:
  group:access:
    - user1
hosts:
  net.vlan0: 172.16.0.0/24
  net.dns01: 172.16.0.21/32
# ...
acls:
  - action: accept
    src:
      - group:access
    dst:
      - tag:access-servers:* # node1 in it
      - net.dns01:*

Users in group access (user1) now cannot access to 172.16.0.21. If I change net.dns01 with net.vlan0 in ACL, user1 can ping
172.16.0.21 (and other addresses in 172.16.0/24 too which is undesirable). Previous version 0.22.3 was allowed access to hosts with /32 mask.

Environment

  • OS: Linux
  • Headscale version: 0.23.0-alpha5
  • Tailscale version: 1.56, 1.60
  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

To Reproduce

Have subnet router and ACLs to networks behind it.

Logs and attachments

netmap with acl /32 in config:

...
                {
                        "SrcIPs": [
                                "100.64.0.3/32",
                                "fd7a:115c:a1e0::b/128"
                        ]
                        "DstPorts": [
                                {
                                        "IP": "100.64.0.2/32",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "fd7a:115c:a1e0::2/128",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                        ]
                 }

netmap with acl /24 in config:

...
                {
                        "SrcIPs": [
                                "100.64.0.3/32",
                                "fd7a:115c:a1e0::b/128"
                        ]
                        "DstPorts": [
                                {
                                        "IP": "100.64.0.2/32",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "fd7a:115c:a1e0::2/128",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "172.16.0.0/24",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                }
                        ]
                 }
@winterheart winterheart added the bug Something isn't working label Mar 7, 2024
@kradalby kradalby added this to the v0.23.0 milestone Mar 7, 2024
@winterheart
Copy link
Contributor Author

Seems this regression somehow related to #1786 as exit-node functionality is broken too in our environment.

mangareader pushed a commit to mangareader/headscale-1 that referenced this issue Apr 26, 2024
fix issue juanfont#1817
e06f22b
@mangareader mangareader mentioned this issue Apr 26, 2024
Closed
@kradalby kradalby mentioned this issue Apr 29, 2024
Merged
@kradalby
Copy link
Collaborator

This should be addressed in #1917, it also addresses #1786.

If you have the opportunity to test it before it gets merged that would be great!

@kradalby kradalby mentioned this issue Apr 29, 2024
Closed
2 tasks
@kradalby
Copy link
Collaborator

This should be addressed in https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha10, check it out.

@winterheart winterheart mentioned this issue May 21, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v0.23.0
Development

Successfully merging a pull request may close this issue.

add autogroup:internet, fix reduce filter rules kradalby/headscale
2 participants
@winterheart @kradalby