ACL src/dst with host-alias not working #367

New Issue

adam · 2025-12-29T01:27:48+01:00

adam commented

2025-12-29 01:27:48 +01:00

Originally created by @razza-guhl on GitHub (Nov 7, 2022).

Bug description

Using host alias as dst/destination in ACLs does not work. In this case no node can talk to each other. The command "tailscale status" only shows itself.
Same applies by using alias in src/source as well.

When using the IP instead host alias, the ACL works.

To Reproduce

A sample ACL which is not working:

{
    "hosts": {
        "client1": "100.64.0.1",
        "client2": "100.64.0.2",
        "server":  "100.64.0.4",
    },

    "acls": [
        {
            "action": "accept",
            "src": [
                "*",
            ],
            "dst": [
                "server:22,80",
            ],
        },
    ],
}

Context info

Version of headscale used: 0.17.0-beta2
Version of tailscale client: 1.32.2 (Windows), 1.32.0 (Linux)
OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: Windows 10, Linux DietPi v8.9.2
Kernel version: 5.15.61-v8+
The relevant config parameters you used: see above
Log output: no

Originally created by @razza-guhl on GitHub (Nov 7, 2022).  **Bug description** Using host alias as dst/destination in ACLs does not work. In this case no node can talk to each other. The command "tailscale status" only shows itself. Same applies by using alias in src/source as well. When using the IP instead host alias, the ACL works. **To Reproduce** A sample ACL which is not working: ``` { "hosts": { "client1": "100.64.0.1", "client2": "100.64.0.2", "server": "100.64.0.4", }, "acls": [ { "action": "accept", "src": [ "*", ], "dst": [ "server:22,80", ], }, ], } ``` **Context info** - Version of headscale used: 0.17.0-beta2 - Version of tailscale client: 1.32.2 (Windows), 1.32.0 (Linux) - OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: Windows 10, Linux DietPi v8.9.2 - Kernel version: 5.15.61-v8+ - The relevant config parameters you used: see above - Log output: no

adam added the bug label 2025-12-29 01:27:48 +01:00

adam closed this issue

2025-12-29 01:27:48 +01:00

adam commented

2025-12-29 01:27:49 +01:00

@razza-guhl commented on GitHub (Nov 8, 2022):

I tested the ACL on headscale version 0.16.4 (stable) with the same result

@razza-guhl commented on GitHub (Nov 8, 2022): I tested the ACL on headscale version 0.16.4 (stable) with the same result

adam commented

2025-12-29 01:27:49 +01:00

@camaeel commented on GitHub (Nov 28, 2022):

I have similar issues when using minimal acl at version 0.17.0:

acls: 
- src:
  - "*"
  dest:
  - "*:*"
  action: "accept"

@camaeel commented on GitHub (Nov 28, 2022): I have similar issues when using minimal acl at version 0.17.0: ``` acls: - src: - "*" dest: - "*:*" action: "accept" ```

adam commented

2025-12-29 01:27:50 +01:00

@kradalby commented on GitHub (Nov 29, 2022):

ACLs are in a fragile state and we are getting to a point where we can start writing tests to verify that they work, so we will hopefully have time to improve and fix them from now on, but I cannot give an ETA.

@kradalby commented on GitHub (Nov 29, 2022): ACLs are in a fragile state and we are getting to a point where we can start writing tests to verify that they work, so we will hopefully have time to improve and fix them from now on, but I cannot give an ETA.

adam commented

2025-12-29 01:27:50 +01:00

@camaeel commented on GitHub (Nov 29, 2022):

Then maybe it should be marked as not fully functional in the docs.

@camaeel commented on GitHub (Nov 29, 2022): Then maybe it should be marked as not fully functional in the docs.

adam commented

2025-12-29 01:27:50 +01:00

@12nick12 commented on GitHub (Dec 6, 2022):

I can't wait till they're 100%. Right now it works if I have * open to *:anyport, but that means all devices get shown on each host.

@12nick12 commented on GitHub (Dec 6, 2022): I can't wait till they're 100%. Right now it works if I have `*` open to `*:anyport`, but that means all devices get shown on each host.

adam commented

2025-12-29 01:27:50 +01:00

@camaeel commented on GitHub (Dec 6, 2022):

@kradalby Maybe there are some issues describing what is exactly missing/not working, so the community could help here?
Is it possible to test in an automated way what is working and what is not? Wither with unit tests or integration tests (using for example testcontainers to setup "the test case")?

@camaeel commented on GitHub (Dec 6, 2022): @kradalby Maybe there are some issues describing what is exactly missing/not working, so the community could help here? Is it possible to test in an automated way what is working and what is not? Wither with unit tests or integration tests (using for example testcontainers to setup "the test case")?

adam commented

2025-12-29 01:27:51 +01:00

@kradalby commented on GitHub (Dec 15, 2022):

@camaeel my goal is to start writing these tests this week. which should hopefully make it more clear what is and isnt working because right now we actually dont know.

@kradalby commented on GitHub (Dec 15, 2022): @camaeel my goal is to start writing these tests this week. which should hopefully make it more clear what is and isnt working because right now we actually dont know.

adam commented

2025-12-29 01:27:51 +01:00

@camaeel commented on GitHub (Dec 15, 2022):

That would be great.
I tried to figure out how tailscale client gets the data about other nodes? Does it call the same api that is used by the headscale cli, or something else?

@camaeel commented on GitHub (Dec 15, 2022): That would be great. I tried to figure out how tailscale client gets the data about other nodes? Does it call the same api that is used by the headscale cli, or something else?

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#367