[PR #2850] [CLOSED] Filter exit node visibility through ACL policy #2893

New Issue

adam · 2025-12-29T04:19:32+01:00

adam commented

2025-12-29 04:19:32 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/2850
Author: @Copilot
Created: 11/1/2025
Status: ❌ Closed

Base: main ← Head: copilot/investigate-headscale-issue-2788

📝 Commits (4)

a55cdc2 Initial plan
e010702 Filter exit routes through ACL policy to fix issue #2788
4fa1f4b Add integration test for exit node ACL visibility (issue #2788)
1f4b645 Refactor: Extract route filtering logic into helper function

📊 Changes

4 files changed (+182 additions, -9 deletions)

View changed files

📝 hscontrol/mapper/builder.go (+30 -6)
📝 hscontrol/mapper/tail.go (+1 -1)
📝 hscontrol/mapper/tail_test.go (+0 -2)
📝 integration/route_test.go (+151 -0)

📄 Description

Exit nodes were visible to all peers regardless of ACL policy. This regression allowed nodes without autogroup:internet:* in their ACL destinations to see exit nodes in their peer list, differing from Tailscale SaaS behavior.

Root cause:
Exit routes (0.0.0.0/0, ::/0) were unconditionally appended to AllowedIPs in tailNode(), bypassing the policy.ReduceRoutes() filtering applied to primary subnet routes.

Changes:

hscontrol/mapper/builder.go: Extracted buildRouteFilterFunc() helper that filters both primary and exit routes through policy.ReduceRoutes(). Applied to WithSelfNode() and buildTailPeers().
hscontrol/mapper/tail.go: Removed unconditional node.ExitRoutes() append since filtered routes now include exit routes when permitted.
hscontrol/mapper/tail_test.go: Updated test expectations to exclude exit routes when no policy grants access.
integration/route_test.go: Added TestExitNodeVisibilityWithACL verifying exit nodes are invisible without autogroup:internet ACL rule.

Example ACL requiring explicit exit node access:

{
  "acls": [
    {"action": "accept", "src": ["mobile"], "dst": ["server:80"]},
    {"action": "accept", "src": ["mobile"], "dst": ["autogroup:internet:*"]}
  ]
}

Without the second rule, mobile cannot see exit nodes despite them being advertised and approved.

Breaking change: Networks expecting all nodes to see exit nodes must add autogroup:internet:* to appropriate ACL destination rules.

Fixes #2788

Original prompt

Investigate https://github.com/juanfont/headscale/issues/2788

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/2850 **Author:** [@Copilot](https://github.com/apps/copilot-swe-agent) **Created:** 11/1/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `copilot/investigate-headscale-issue-2788` --- ### 📝 Commits (4) - [`a55cdc2`](https://github.com/juanfont/headscale/commit/a55cdc2636436afb3b2371bf1f3ac04c921d349a) Initial plan - [`e010702`](https://github.com/juanfont/headscale/commit/e0107024e894a4fef74076fa73729fe013018b9f) Filter exit routes through ACL policy to fix issue #2788 - [`4fa1f4b`](https://github.com/juanfont/headscale/commit/4fa1f4baa3d80e77febec614ab9c2501ae328441) Add integration test for exit node ACL visibility (issue #2788) - [`1f4b645`](https://github.com/juanfont/headscale/commit/1f4b645d5bb2413fbfeb139478e96b9c45b2da29) Refactor: Extract route filtering logic into helper function ### 📊 Changes **4 files changed** (+182 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `hscontrol/mapper/builder.go` (+30 -6) 📝 `hscontrol/mapper/tail.go` (+1 -1) 📝 `hscontrol/mapper/tail_test.go` (+0 -2) 📝 `integration/route_test.go` (+151 -0) </details> ### 📄 Description Exit nodes were visible to all peers regardless of ACL policy. This regression allowed nodes without `autogroup:internet:*` in their ACL destinations to see exit nodes in their peer list, differing from Tailscale SaaS behavior. **Root cause:** Exit routes (0.0.0.0/0, ::/0) were unconditionally appended to `AllowedIPs` in `tailNode()`, bypassing the `policy.ReduceRoutes()` filtering applied to primary subnet routes. **Changes:** - **hscontrol/mapper/builder.go**: Extracted `buildRouteFilterFunc()` helper that filters both primary and exit routes through `policy.ReduceRoutes()`. Applied to `WithSelfNode()` and `buildTailPeers()`. - **hscontrol/mapper/tail.go**: Removed unconditional `node.ExitRoutes()` append since filtered routes now include exit routes when permitted. - **hscontrol/mapper/tail_test.go**: Updated test expectations to exclude exit routes when no policy grants access. - **integration/route_test.go**: Added `TestExitNodeVisibilityWithACL` verifying exit nodes are invisible without `autogroup:internet` ACL rule. **Example ACL requiring explicit exit node access:** ```json { "acls": [ {"action": "accept", "src": ["mobile"], "dst": ["server:80"]}, {"action": "accept", "src": ["mobile"], "dst": ["autogroup:internet:*"]} ] } ``` Without the second rule, `mobile` cannot see exit nodes despite them being advertised and approved. **Breaking change:** Networks expecting all nodes to see exit nodes must add `autogroup:internet:*` to appropriate ACL destination rules. Fixes #2788  <details> <summary>Original prompt</summary> > Investigate https://github.com/juanfont/headscale/issues/2788 </details>  --- 💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 04:19:32 +01:00

adam closed this issue

2025-12-29 04:19:32 +01:00

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#2893