dst:"*:*" not working in ACLs #299

New Issue

adam · 2025-12-29T01:26:21+01:00

adam commented

2025-12-29 01:26:21 +01:00

Originally created by @fernandoenzo on GitHub (Jul 30, 2022).

Bug description

The error that I am going to describe is very simple, and I have almost said everything in the subject of the message.
I have two namespaces: ns_A and ns_B
In each namespace I have only one device registered: pc_A and pc_B
I want pc_A to be able to connect to pc_B and any other possible new namespace added in the future, but not the other way around, so I create this simple acl.hujson file:

"acls": [                                                                                                                                                                                                                                   
    {                                                                                                                                                                                                                                         
      "action": "accept",                                                                                                                                                                                                                     
      "src": ["ns_A"],                                                                                                                                                                                                                    
      "dst": ["*:*"]                                                                                                                                                                                                                          
    },                                                                                                                                                                                                                                        
  ]

Result: It is impossible for pc_A to even ping pc_B.
Additional info: When running tailscale status, pc_A can see pc_B and pc_B can't see pc_A, so that's fine. I don't know where the problem could be. And also, if you change "dst":["*:*"] to "dst":["ns_B:*"] everything works perfectly. So this looks a lot like a bug with the "dst":["*:*"] option.

I'm using the latest official Docker Headscale v0.16.

Originally created by @fernandoenzo on GitHub (Jul 30, 2022).  **Bug description** The error that I am going to describe is very simple, and I have almost said everything in the subject of the message. I have two namespaces: `ns_A` and `ns_B` In each namespace I have only one device registered: `pc_A` and `pc_B` I want `pc_A` to be able to connect to `pc_B` and any other possible new `namespace` added in the future, but not the other way around, so I create this simple `acl.hujson` file: ``` "acls": [ { "action": "accept", "src": ["ns_A"], "dst": ["*:*"] }, ] ``` **Result:** It is impossible for `pc_A` to even ping `pc_B`. **Additional info:** When running `tailscale status`, `pc_A` can see `pc_B` and `pc_B` can't see `pc_A`, so that's fine. I don't know where the problem could be. And also, if you change `"dst":["*:*"]` to `"dst":["ns_B:*"]` everything works perfectly. So this looks a lot like a bug with the `"dst":["*:*"]` option. I'm using the latest official Docker Headscale v0.16.

adam added the bug label 2025-12-29 01:26:21 +01:00

adam closed this issue

2025-12-29 01:26:22 +01:00

adam commented

2025-12-29 01:26:23 +01:00

@peanutyost commented on GitHub (Jul 31, 2022):

I had the exact same problem.

@peanutyost commented on GitHub (Jul 31, 2022): I had the exact same problem.

adam commented

2025-12-29 01:26:24 +01:00

@kradalby commented on GitHub (Sep 8, 2022):

@restanrm Have you encountered this?

@kradalby commented on GitHub (Sep 8, 2022): @restanrm Have you encountered this?

adam commented

2025-12-29 01:26:24 +01:00

@skorokithakis commented on GitHub (Sep 12, 2022):

I have a similar problem as well. When adding nodes, the new node won't see any other nodes, and I have an ACL like this. I don't know if it affects, but it's an issue.

@skorokithakis commented on GitHub (Sep 12, 2022): I have a similar problem as well. When adding nodes, the new node won't see any other nodes, and I have an ACL like this. I don't know if it affects, but it's an issue.

adam commented

2025-12-29 01:26:24 +01:00

@skorokithakis commented on GitHub (Sep 12, 2022):

Changing the ACL to list the tags explicitly worked.

@skorokithakis commented on GitHub (Sep 12, 2022): Changing the ACL to list the tags explicitly worked.

adam commented

2025-12-29 01:26:24 +01:00

@restanrm commented on GitHub (Sep 16, 2022):

@restanrm Have you encountered this?

I did not get the time to investigate this. If someone has more time for it, please go ahead.

@restanrm commented on GitHub (Sep 16, 2022): > @restanrm Have you encountered this? I did not get the time to investigate this. If someone has more time for it, please go ahead.

adam commented

2025-12-29 01:26:25 +01:00

@razza-guhl commented on GitHub (Nov 7, 2022):

Same issue here. When change "dst":["*:*"] to "dst":["namespace:*"] it's working.

@razza-guhl commented on GitHub (Nov 7, 2022): Same issue here. When change `"dst":["*:*"]` to `"dst":["namespace:*"]` it's working.

adam commented

2025-12-29 01:26:25 +01:00

@kradalby commented on GitHub (Mar 28, 2023):

This should have been fixed in main now, would be create if someone can help test this.

@kradalby commented on GitHub (Mar 28, 2023): This should have been fixed in `main` now, would be create if someone can help test this.

adam referenced this issue

2025-12-29 02:29:50 +01:00

[PR #299] [MERGED] Tag 0.12.4 in CHANGELOG #1367

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#299