[PR #2852] [CLOSED] Fix exit node visibility - enforce autogroup:internet ACL requirement #2896

New Issue

adam · 2025-12-29T04:19:33+01:00

adam commented

2025-12-29 04:19:33 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/2852
Author: @Copilot
Created: 11/1/2025
Status: ❌ Closed

Base: main ← Head: copilot/investigate-visibility-issue-2788

📝 Commits (3)

309437f Initial plan
31bf3a6 Fix exit node visibility issue - filter based on autogroup:internet permission
4aa9292 Address code review feedback - clarify comments and logic

📊 Changes

6 files changed (+427 additions, -7 deletions)

View changed files

📝 go.sum (+0 -6)
📝 hscontrol/mapper/builder.go (+67 -0)
➕ hscontrol/mapper/exit_node_visibility_test.go (+336 -0)
📝 hscontrol/mapper/tail.go (+7 -1)
📝 hscontrol/mapper/tail_test.go (+10 -0)
📝 hscontrol/policy/matcher/matcher.go (+7 -0)

📄 Description

Exit nodes were visible to all nodes regardless of ACL permissions. A node with ACL mobile -> server:80 could see exit nodes in tailscale exit-node list, even without autogroup:internet permission.

Root cause: tailNode() unconditionally appended ExitRoutes() to peer AllowedIPs, making exit routes visible independent of ACL evaluation.

Changes

Modified exit route inclusion to respect ACL permissions:

Added exitRouteFilterFunc parameter to tailNode() and tailNodes() (parallel to existing primaryRouteFunc)
Self node: Always includes own advertised exit routes
Peer nodes: Only include exit routes if requesting node has internet access permission

Internet access detection:

Added canUseExitRoutes() helper that checks if ACL grants access to public IPs (1.1.1.1, 8.8.8.8, 208.67.222.222)
This distinguishes autogroup:internet (resolves to public internet) from specific service ACLs (e.g., 100.64.0.2:80)
Cannot use CanAccessRoute() directly - it checks prefix overlap, making any destination "overlap" with 0.0.0.0/0

Supporting changes:

Added DestsContainsPrefixes() method to matcher.Match for strict prefix containment checking (unused in final implementation but available for future use)

Example

Before (incorrect):

// mobile has ACL: mobile -> server:80 (NO autogroup:internet)
// mobile's peer list includes exit node with AllowedIPs: [0.0.0.0/0, 100.64.0.3/32]

After (correct):

// mobile's peer list includes exit node with AllowedIPs: [100.64.0.3/32]
// Exit routes only included if ACL contains autogroup:internet

Fixes #2788

Original prompt

This is a complicated visibility issue, investigate https://github.com/juanfont/headscale/issues/2788, it is vital that you look at all the user added content

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/2852 **Author:** [@Copilot](https://github.com/apps/copilot-swe-agent) **Created:** 11/1/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `copilot/investigate-visibility-issue-2788` --- ### 📝 Commits (3) - [`309437f`](https://github.com/juanfont/headscale/commit/309437fa14646c4f32f7f77d81360eedbf21cf83) Initial plan - [`31bf3a6`](https://github.com/juanfont/headscale/commit/31bf3a6637d0425d4be7e5b63c6044c46f151a97) Fix exit node visibility issue - filter based on autogroup:internet permission - [`4aa9292`](https://github.com/juanfont/headscale/commit/4aa9292b917d0a20627818e9fbff4de8413e0aff) Address code review feedback - clarify comments and logic ### 📊 Changes **6 files changed** (+427 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `go.sum` (+0 -6) 📝 `hscontrol/mapper/builder.go` (+67 -0) ➕ `hscontrol/mapper/exit_node_visibility_test.go` (+336 -0) 📝 `hscontrol/mapper/tail.go` (+7 -1) 📝 `hscontrol/mapper/tail_test.go` (+10 -0) 📝 `hscontrol/policy/matcher/matcher.go` (+7 -0) </details> ### 📄 Description Exit nodes were visible to all nodes regardless of ACL permissions. A node with ACL `mobile -> server:80` could see exit nodes in `tailscale exit-node list`, even without `autogroup:internet` permission. **Root cause:** `tailNode()` unconditionally appended `ExitRoutes()` to peer `AllowedIPs`, making exit routes visible independent of ACL evaluation. ## Changes **Modified exit route inclusion to respect ACL permissions:** - Added `exitRouteFilterFunc` parameter to `tailNode()` and `tailNodes()` (parallel to existing `primaryRouteFunc`) - Self node: Always includes own advertised exit routes - Peer nodes: Only include exit routes if requesting node has internet access permission **Internet access detection:** - Added `canUseExitRoutes()` helper that checks if ACL grants access to public IPs (1.1.1.1, 8.8.8.8, 208.67.222.222) - This distinguishes `autogroup:internet` (resolves to public internet) from specific service ACLs (e.g., `100.64.0.2:80`) - Cannot use `CanAccessRoute()` directly - it checks prefix overlap, making any destination "overlap" with `0.0.0.0/0` **Supporting changes:** - Added `DestsContainsPrefixes()` method to `matcher.Match` for strict prefix containment checking (unused in final implementation but available for future use) ## Example Before (incorrect): ```go // mobile has ACL: mobile -> server:80 (NO autogroup:internet) // mobile's peer list includes exit node with AllowedIPs: [0.0.0.0/0, 100.64.0.3/32] ``` After (correct): ```go // mobile's peer list includes exit node with AllowedIPs: [100.64.0.3/32] // Exit routes only included if ACL contains autogroup:internet ``` Fixes #2788  <details> <summary>Original prompt</summary> > This is a complicated visibility issue, investigate https://github.com/juanfont/headscale/issues/2788, it is vital that you look at all the user added content </details>  --- 💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 04:19:33 +01:00

adam closed this issue

2025-12-29 04:19:33 +01:00

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#2896