starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-13 12:50:32 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] Error parsing ACLs since 0.27 #1121

New Issue
Closed
opened 2025-12-29 02:28:22 +01:00 by adam · 2 comments
adam commented 2025-12-29 02:28:22 +01:00
Owner
Copy Link

Originally created by @te-deum on GitHub (Oct 28, 2025).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Watchtower update my docker image this night. Headscale doesn't restart. Here is the error :
2025-10-28T09:19:41+01:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:32 > Error initializing error="creating new headscale: init state: init policy manager: parsing policy: parsing policy from bytes: json: cannot unmarshal JSON string into Go v2.AliasWithPorts within \"/acls/1/dst/0\": hostport must contain a colon (\":\")"

Expected Behavior

Headscale start and apply my ACLs without errors.

Steps To Reproduce

My ACLs :
{ "groups": { "group:servers": ["ServersApp@"] }, "tagOwners": { "tag:connectors": ["group:servers"] }, "hosts": {}, "acls": [ { "#ha-meta": { "name": "Servers: access to all connectors", "open": false }, "action": "accept", "proto": "tcp", "src": ["group:servers"], "dst": ["tag:connectors:80,443,667,1812"] }, { "action": "accept", "src": ["group:servers"], "proto": "icmp", "dst": ["*"] }, { "action": "accept", "src": ["tag:connectors"], "proto": "icmp", "dst": ["group:servers:*"] } ], "ssh": [] }

Environment

- OS: Debian 12
- Headscale version: 0.27
- Tailscale version: 1.90.3

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Debug information

Logs :
2025-10-28T09:17:40+01:00 WRN Prefix 10.196.0.0/14 is not in the 100.64.0.0/10 range. This is an unsupported configuration. 2025-10-28T09:17:40+01:00 INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite 2025-10-28T09:17:40+01:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:32 > Error initializing error="creating new headscale: init state: init policy manager: parsing policy: parsing policy from bytes: json: cannot unmarshal JSON string into Go v2.AliasWithPorts within \"/acls/1/dst/0\": hostport must contain a colon (\":\")" 2025-10-28T09:18:40+01:00 WRN Prefix 10.196.0.0/14 is not in the 100.64.0.0/10 range. This is an unsupported configuration. 2025-10-28T09:18:40+01:00 INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite 2025-10-28T09:18:40+01:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:32 > Error initializing error="creating new headscale: init state: init policy manager: parsing policy: parsing policy from bytes: json: cannot unmarshal JSON string into Go v2.AliasWithPorts within \"/acls/1/dst/0\": hostport must contain a colon (\":\")" 2025-10-28T09:19:41+01:00 WRN Prefix 10.196.0.0/14 is not in the 100.64.0.0/10 range. This is an unsupported configuration. 2025-10-28T09:19:41+01:00 INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite 2025-10-28T09:19:41+01:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:32 > Error initializing error="creating new headscale: init state: init policy manager: parsing policy: parsing policy from bytes: json: cannot unmarshal JSON string into Go v2.AliasWithPorts within \"/acls/1/dst/0\": hostport must contain a colon (\":\")"

Originally created by @te-deum on GitHub (Oct 28, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior Watchtower update my docker image this night. Headscale doesn't restart. Here is the error : `2025-10-28T09:19:41+01:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:32 > Error initializing error="creating new headscale: init state: init policy manager: parsing policy: parsing policy from bytes: json: cannot unmarshal JSON string into Go v2.AliasWithPorts within \"/acls/1/dst/0\": hostport must contain a colon (\":\")"` ### Expected Behavior Headscale start and apply my ACLs without errors. ### Steps To Reproduce My ACLs : `{ "groups": { "group:servers": ["ServersApp@"] }, "tagOwners": { "tag:connectors": ["group:servers"] }, "hosts": {}, "acls": [ { "#ha-meta": { "name": "Servers: access to all connectors", "open": false }, "action": "accept", "proto": "tcp", "src": ["group:servers"], "dst": ["tag:connectors:80,443,667,1812"] }, { "action": "accept", "src": ["group:servers"], "proto": "icmp", "dst": ["*"] }, { "action": "accept", "src": ["tag:connectors"], "proto": "icmp", "dst": ["group:servers:*"] } ], "ssh": [] } ` ### Environment ```markdown - OS: Debian 12 - Headscale version: 0.27 - Tailscale version: 1.90.3 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Debug information Logs : ` 2025-10-28T09:17:40+01:00 WRN Prefix 10.196.0.0/14 is not in the 100.64.0.0/10 range. This is an unsupported configuration. 2025-10-28T09:17:40+01:00 INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite 2025-10-28T09:17:40+01:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:32 > Error initializing error="creating new headscale: init state: init policy manager: parsing policy: parsing policy from bytes: json: cannot unmarshal JSON string into Go v2.AliasWithPorts within \"/acls/1/dst/0\": hostport must contain a colon (\":\")" 2025-10-28T09:18:40+01:00 WRN Prefix 10.196.0.0/14 is not in the 100.64.0.0/10 range. This is an unsupported configuration. 2025-10-28T09:18:40+01:00 INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite 2025-10-28T09:18:40+01:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:32 > Error initializing error="creating new headscale: init state: init policy manager: parsing policy: parsing policy from bytes: json: cannot unmarshal JSON string into Go v2.AliasWithPorts within \"/acls/1/dst/0\": hostport must contain a colon (\":\")" 2025-10-28T09:19:41+01:00 WRN Prefix 10.196.0.0/14 is not in the 100.64.0.0/10 range. This is an unsupported configuration. 2025-10-28T09:19:41+01:00 INF Opening database database=sqlite3 path=/var/lib/headscale/db.sqlite 2025-10-28T09:19:41+01:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/serve.go:32 > Error initializing error="creating new headscale: init state: init policy manager: parsing policy: parsing policy from bytes: json: cannot unmarshal JSON string into Go v2.AliasWithPorts within \"/acls/1/dst/0\": hostport must contain a colon (\":\")"`
adam added the bug label 2025-12-29 02:28:22 +01:00
adam closed this issue 2025-12-29 02:28:22 +01:00
adam commented 2025-12-29 02:28:23 +01:00
Author
Owner
Copy Link

@nblock commented on GitHub (Oct 28, 2025):

Your policy is invalid:

{
  "action": "accept",
  "src": ["group:servers"],
  "proto": "icmp",
  "dst": ["*"]
},

It should work with: "dst": ["*:*"]

The Changelog for 0.27.0 mentions this:

Policy: Zero or empty destination port is no longer allowed

as breaking change.

@nblock commented on GitHub (Oct 28, 2025): Your policy is invalid: ```json { "action": "accept", "src": ["group:servers"], "proto": "icmp", "dst": ["*"] }, ``` It should work with: `"dst": ["*:*"]` The [Changelog for 0.27.0](https://github.com/juanfont/headscale/blob/main/CHANGELOG.md#0270-2025-10-27) mentions this: > Policy: Zero or empty destination port is no longer allowed as breaking change.
adam commented 2025-12-29 02:28:23 +01:00
Author
Owner
Copy Link

@te-deum commented on GitHub (Oct 28, 2025):

Hi,

Thanks a lot for your quick feedback and clarification! I change my ACLs and everything is working like a charm.
I’m really sorry — this was entirely my mistake. I hadn’t read the 0.27 release notes carefully enough and missed the breaking change regarding the ACL destination ports.

Apologies for the confusion and for opening a ticket unnecessarily.
Thanks again for your help and for maintaining this great project!

Best regards,

@te-deum commented on GitHub (Oct 28, 2025): Hi, Thanks a lot for your quick feedback and clarification! I change my ACLs and everything is working like a charm. I’m really sorry — this was entirely my mistake. I hadn’t read the 0.27 release notes carefully enough and missed the breaking change regarding the ACL destination ports. Apologies for the confusion and for opening a ticket unnecessarily. Thanks again for your help and for maintaining this great project! Best regards,
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#1121
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?