Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

headscale 0.23.0-alpha5 ignores /32 masks in ACLs #1817

Closed
2 tasks
winterheart opened this issue Mar 7, 2024 · 3 comments · Fixed by #1917
Closed
2 tasks

headscale 0.23.0-alpha5 ignores /32 masks in ACLs #1817

winterheart opened this issue Mar 7, 2024 · 3 comments · Fixed by #1917
Labels
bug Something isn't working
Milestone

Comments

@winterheart
Copy link
Contributor

Bug description

We have tailnet network with node1 as subnet router to 172.16.0.0/24 network.

After updating to 0.23.0-alpha5 some of our users lost access to resources provided by ACL. Here short example of acl.yaml:

groups:
  group:access:
    - user1
hosts:
  net.vlan0: 172.16.0.0/24
  net.dns01: 172.16.0.21/32
# ...
acls:
  - action: accept
    src:
      - group:access
    dst:
      - tag:access-servers:* # node1 in it
      - net.dns01:*

Users in group access (user1) now cannot access to 172.16.0.21. If I change net.dns01 with net.vlan0 in ACL, user1 can ping
172.16.0.21 (and other addresses in 172.16.0/24 too which is undesirable). Previous version 0.22.3 was allowed access to hosts with /32 mask.

Environment

  • OS: Linux
  • Headscale version: 0.23.0-alpha5
  • Tailscale version: 1.56, 1.60
  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

To Reproduce

Have subnet router and ACLs to networks behind it.

Logs and attachments

netmap with acl /32 in config:

...
                {
                        "SrcIPs": [
                                "100.64.0.3/32",
                                "fd7a:115c:a1e0::b/128"
                        ]
                        "DstPorts": [
                                {
                                        "IP": "100.64.0.2/32",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "fd7a:115c:a1e0::2/128",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                        ]
                 }

netmap with acl /24 in config:

...
                {
                        "SrcIPs": [
                                "100.64.0.3/32",
                                "fd7a:115c:a1e0::b/128"
                        ]
                        "DstPorts": [
                                {
                                        "IP": "100.64.0.2/32",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "fd7a:115c:a1e0::2/128",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "172.16.0.0/24",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                }
                        ]
                 }
@winterheart winterheart added the bug Something isn't working label Mar 7, 2024
@kradalby kradalby added this to the v0.23.0 milestone Mar 7, 2024
@winterheart
Copy link
Contributor Author

Seems this regression somehow related to #1786 as exit-node functionality is broken too in our environment.

mangareader pushed a commit to mangareader/headscale-1 that referenced this issue Apr 26, 2024
@kradalby
Copy link
Collaborator

This should be addressed in #1917, it also addresses #1786.

If you have the opportunity to test it before it gets merged that would be great!

@kradalby
Copy link
Collaborator

This should be addressed in https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha10, check it out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants