[PR #2734] [MERGED] Allow all traffic if acls field is omited from the policy #2826

New Issue

adam · 2025-12-29T04:19:12+01:00

adam commented

2025-12-29 04:19:12 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/2734
Author: @afonsofrancof
Created: 8/16/2025
Status: ✅ Merged
Merged: 8/18/2025
Merged by: @nblock

Base: main ← Head: empty-acl

📝 Commits (2)

70f8733 fix: allow all traffic if acls field is omited from the policy
0e677b9 docs(acls): Add example for allow/deny all acl policy

📊 Changes

3 files changed (+34 additions, -17 deletions)

View changed files

📝 docs/ref/acls.md (+31 -14)
📝 hscontrol/policy/v2/filter.go (+1 -1)
📝 hscontrol/policy/v2/policy_test.go (+2 -2)

📄 Description

This PR fixes #2672.

It makes headscale follow the following tailscale rules.

In the code this translates to a nil ACLs field in the Policy struct if it doesn't exist in the policy dict (first scenario) , and a non-nil 0-length array in the same field when it exists but is empty (second scenario)

This is nice to have because if you're setting up a file or database policy, you can start with an empty {} as the contents, which means everything is allowed. Then you can add your specific rules later on.

It also prevents people from accidentally locking themselves out of the tailnet when they start experimenting with acls ( happened to me 😅 )

have read the CONTRIBUTING.md file
raised a GitHub issue or discussed it on the projects chat beforehand
added unit tests

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/2734 **Author:** [@afonsofrancof](https://github.com/afonsofrancof) **Created:** 8/16/2025 **Status:** ✅ Merged **Merged:** 8/18/2025 **Merged by:** [@nblock](https://github.com/nblock) **Base:** `main` ← **Head:** `empty-acl` --- ### 📝 Commits (2) - [`70f8733`](https://github.com/juanfont/headscale/commit/70f8733426f8b5272c94c308ed6ae1673fe22e0c) fix: allow all traffic if acls field is omited from the policy - [`0e677b9`](https://github.com/juanfont/headscale/commit/0e677b950721a3e192e948a757dd5ea52f8a433b) docs(acls): Add example for allow/deny all acl policy ### 📊 Changes **3 files changed** (+34 additions, -17 deletions) <details> <summary>View changed files</summary> 📝 `docs/ref/acls.md` (+31 -14) 📝 `hscontrol/policy/v2/filter.go` (+1 -1) 📝 `hscontrol/policy/v2/policy_test.go` (+2 -2) </details> ### 📄 Description This PR fixes #2672. It makes headscale follow the following tailscale rules. <img width="1528" height="266" alt="image" src="https://github.com/user-attachments/assets/e5574240-4ca5-44a7-9d2e-3b92ebc5435b" /> <img width="1528" height="380" alt="image" src="https://github.com/user-attachments/assets/7530c13e-6cda-4433-87ba-dd29443aac2d" /> In the code this translates to a `nil` `ACLs` field in the `Policy` struct if it doesn't exist in the policy dict (first scenario) , and a non-nil 0-length array in the same field when it exists but is empty (second scenario) This is nice to have because if you're setting up a file or database policy, you can start with an empty {} as the contents, which means everything is allowed. Then you can add your specific rules later on. It also prevents people from accidentally locking themselves out of the tailnet when they start experimenting with acls ( happened to me 😅 ) - [x] have read the [CONTRIBUTING.md](./CONTRIBUTING.md) file - [x] raised a GitHub issue or discussed it on the projects chat beforehand - [x] added unit tests --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 04:19:12 +01:00

adam closed this issue

2025-12-29 04:19:12 +01:00

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#2826