starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Removing an ACL is not pushed out to clients #577

New Issue
Closed
opened 2025-12-29 02:20:43 +01:00 by adam · 1 comment
adam commented 2025-12-29 02:20:43 +01:00
Owner
Copy Link

Originally created by @nathan-march on GitHub (Nov 15, 2023).

Bug description

If you create an ACL that allow access inside a group, then remove the ACL and HUP the server, the change is not picked up by the clients. Doing a down/up on the client will resolve it.

Environment

ACL:

{
  "groups": {
    "group:admins": ["XXXXX"],
  },
  "acls": [
    { "action": "accept", "src": ["group:admins"], "dst": ["group:admins:*"] },
  ]
}
  • OS: Ubuntu server
  • Headscale version: v0.23.0-alpha1
  • Tailscale version: 1.52.1 linux

Two linux boxes as tailscale clients with a 3rd running headscale.

To Reproduce

  1. Setup the above ACL
  2. Connect two linux clients and started a ping running on them both
  3. Comment out the action line and killall -HUP headscaled
  4. See the ping keeps going
  5. On one client, do tailscale down; tailscale up
  6. See the ping stops
  7. Uncomment the ACL and killall -HUP headscaled
  8. See the ping starts
Originally created by @nathan-march on GitHub (Nov 15, 2023). ## Bug description If you create an ACL that allow access inside a group, then remove the ACL and HUP the server, the change is not picked up by the clients. Doing a down/up on the client will resolve it. ## Environment ACL: ``` { "groups": { "group:admins": ["XXXXX"], }, "acls": [ { "action": "accept", "src": ["group:admins"], "dst": ["group:admins:*"] }, ] } ``` - OS: Ubuntu server - Headscale version: v0.23.0-alpha1 - Tailscale version: 1.52.1 linux Two linux boxes as tailscale clients with a 3rd running headscale. ## To Reproduce 1. Setup the above ACL 2. Connect two linux clients and started a ping running on them both 3. Comment out the action line and killall -HUP headscaled 4. See the ping keeps going 5. On one client, do tailscale down; tailscale up 6. See the ping stops 7. Uncomment the ACL and killall -HUP headscaled 8. See the ping starts
adam added the bug label 2025-12-29 02:20:43 +01:00
adam closed this issue 2025-12-29 02:20:43 +01:00
adam commented 2025-12-29 02:20:43 +01:00
Author
Owner
Copy Link

@nathan-march commented on GitHub (Nov 15, 2023):

Actually I think what happens here is, if there's no ACL specified then everything is wide open.

If so then this isn't really a bug, but could use a warning entry in the logs along the lines of "No ACL rules found, allowing all traffic!"

@nathan-march commented on GitHub (Nov 15, 2023): Actually I think what happens here is, if there's no ACL specified then everything is wide open. If so then this isn't really a bug, but could use a warning entry in the logs along the lines of "No ACL rules found, allowing all traffic!"
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#577
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?