starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-04-23 00:58:43 +02:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

policy/v2: keep partial IPSet on SSH destination resolution errors

Browse Source 
In compileSSHPolicy, when resolving other (non-autogroup:self)
destinations, the code discards the entire result on error via
`continue`. If a destination alias (e.g., a tag owned by a group
with a non-existent user) returns a partial IPSet alongside an
error, valid IPs are lost.

Both ACL compilation paths (compileFilterRules and
compileACLWithAutogroupSelf) already handle this correctly by
logging the error and using the IPSet if non-nil.

Remove the `continue` so the SSH path is consistent with the
ACL paths.

Fixes #2990
This commit is contained in:
Kristoffer Dalby
2026-02-02 14:32:52 +00:00
parent 1f32c8bf61
commit 362696a5ef
1 changed files with 0 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
hscontrol/policy/v2/filter.go
View File

@@ -409,7 +409,6 @@ func (pol *Policy) compileSSHPolicy(
ips, err := dst.Resolve(pol, users, nodes) ips, err := dst.Resolve(pol, users, nodes)
if err != nil { if err != nil {
log.Trace().Caller().Err(err).Msgf("resolving destination ips") log.Trace().Caller().Err(err).Msgf("resolving destination ips")
continue
} }
if ips != nil { if ips != nil {
dest.AddSet(ips) dest.AddSet(ips)