Reducing filter rules breaks exit node access #647

New Issue

adam · 2025-12-29T02:21:35+01:00

adam commented

2025-12-29 02:21:35 +01:00

Originally created by @TotoTheDragon on GitHub (Feb 19, 2024).

Bug description

When setting up an ACL to allow access to a exit node, the access rules can be reduced because the ips defined are not in use by the network or routes.

Environment

OS: N/A
Headscale version:
Tailscale version: N/A

Headscale is behind a (reverse) proxy
Headscale runs in a container

To Reproduce

Logs and attachments

Trying to create the following setup:

user1-user3 are part of the group "team"
user "internal" contains internal services/servers
"internal" should not be able to access anything
"team" should be able to access all of "internal"
"team" members should be able to access all own devices but not other users
"internal" contains multiple exit nodes

If I just use the following ACL, the "team" members are able to successfully access all "internal" devices. However when trying to use a exit node inside "internal" it is not possible to ping/access any devices outside the tailscale network.

{ "action": "accept", "src": ["group:team"], "dst": ["internal:*"] },

{
  "groups": {
    "group:team": ["user3", "user2", "user1"]
  },
  "acls": [
    { "action": "accept", "src": ["group:team"], "dst": ["internal:*"] },
    {
      "action": "accept",
      "src": ["group:team"],
      "dst": [ "0.0.0.0/5:*",
               "8.0.0.0/7:*",
               "11.0.0.0/8:*",
               "12.0.0.0/6:*",
               "16.0.0.0/4:*",
               "32.0.0.0/3:*",
               "64.0.0.0/2:*",
               "128.0.0.0/3:*",
               "160.0.0.0/5:*",
               "168.0.0.0/6:*",
               "172.0.0.0/12:*",
               "172.32.0.0/11:*",
               "172.64.0.0/10:*",
               "172.128.0.0/9:*",
               "173.0.0.0/8:*",
               "174.0.0.0/7:*",
               "176.0.0.0/4:*",
               "192.0.0.0/9:*",
               "192.128.0.0/11:*",
               "192.160.0.0/13:*",
               "192.169.0.0/16:*",
               "192.170.0.0/15:*",
               "192.172.0.0/14:*",
               "192.176.0.0/12:*",
               "192.192.0.0/10:*",
               "193.0.0.0/8:*",
               "194.0.0.0/7:*",
               "196.0.0.0/6:*",
               "200.0.0.0/5:*",
               "208.0.0.0/4:*"
              ]
    },
    { "action": "accept", "src": ["user3"], "dst": ["user3:*"] },
    { "action": "accept", "src": ["user2"], "dst": ["user2:*"] },
    { "action": "accept", "src": ["user1"], "dst": ["user1:*"] }
  ]
}

Originally created by @TotoTheDragon on GitHub (Feb 19, 2024).  ## Bug description  When setting up an ACL to allow access to a exit node, the access rules can be reduced because the ips defined are not in use by the network or routes. ## Environment  - OS: N/A - Headscale version: - Tailscale version: N/A  - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ## To Reproduce  ## Logs and attachments  Trying to create the following setup: - user1-user3 are part of the group "team" - user "internal" contains internal services/servers - "internal" should not be able to access anything - "team" should be able to access all of "internal" - "team" members should be able to access all own devices but not other users - "internal" contains multiple exit nodes If I just use the following ACL, the "team" members are able to successfully access all "internal" devices. However when trying to use a exit node inside "internal" it is not possible to ping/access any devices outside the tailscale network. ``` { "action": "accept", "src": ["group:team"], "dst": ["internal:*"] },``` ``` { "groups": { "group:team": ["user3", "user2", "user1"] }, "acls": [ { "action": "accept", "src": ["group:team"], "dst": ["internal:*"] }, { "action": "accept", "src": ["group:team"], "dst": [ "0.0.0.0/5:*", "8.0.0.0/7:*", "11.0.0.0/8:*", "12.0.0.0/6:*", "16.0.0.0/4:*", "32.0.0.0/3:*", "64.0.0.0/2:*", "128.0.0.0/3:*", "160.0.0.0/5:*", "168.0.0.0/6:*", "172.0.0.0/12:*", "172.32.0.0/11:*", "172.64.0.0/10:*", "172.128.0.0/9:*", "173.0.0.0/8:*", "174.0.0.0/7:*", "176.0.0.0/4:*", "192.0.0.0/9:*", "192.128.0.0/11:*", "192.160.0.0/13:*", "192.169.0.0/16:*", "192.170.0.0/15:*", "192.172.0.0/14:*", "192.176.0.0/12:*", "192.192.0.0/10:*", "193.0.0.0/8:*", "194.0.0.0/7:*", "196.0.0.0/6:*", "200.0.0.0/5:*", "208.0.0.0/4:*" ] }, { "action": "accept", "src": ["user3"], "dst": ["user3:*"] }, { "action": "accept", "src": ["user2"], "dst": ["user2:*"] }, { "action": "accept", "src": ["user1"], "dst": ["user1:*"] } ] } ```

adam added the bug label 2025-12-29 02:21:35 +01:00

adam closed this issue

2025-12-29 02:21:35 +01:00

adam commented

2025-12-29 02:21:36 +01:00

@TotoTheDragon commented on GitHub (Feb 19, 2024):

Some options to improve this:

Add more tests for reducing filter rules, then amend the function so it passes
Support autogroup:internet

@TotoTheDragon commented on GitHub (Feb 19, 2024): Some options to improve this: - Add more tests for reducing filter rules, then amend the function so it passes - Support `autogroup:internet`

adam commented

2025-12-29 02:21:36 +01:00

@TotoTheDragon commented on GitHub (Feb 19, 2024):

7a920ee701/hscontrol/policy/acls.go (L262)

I believe expanded and routeableIP might have to be switched here

@TotoTheDragon commented on GitHub (Feb 19, 2024): https://github.com/juanfont/headscale/blob/7a920ee701f6c1cc5152075bfcd7dae6f6d604c6/hscontrol/policy/acls.go#L262 I believe expanded and routeableIP might have to be switched here

adam commented

2025-12-29 02:21:36 +01:00

@ml-mf commented on GitHub (Mar 1, 2024):

7a920ee701/hscontrol/policy/acls.go (L262)

I believe expanded and routeableIP might have to be switched here

Can't we just check if a node is considered an exit node and allow exit nodes to accept all routable IPs? Or am I missing something here?

@ml-mf commented on GitHub (Mar 1, 2024): > https://github.com/juanfont/headscale/blob/7a920ee701f6c1cc5152075bfcd7dae6f6d604c6/hscontrol/policy/acls.go#L262 > > I believe expanded and routeableIP might have to be switched here Can't we just check if a node is considered an exit node and allow exit nodes to accept all routable IPs? Or am I missing something here?

adam commented

2025-12-29 02:21:36 +01:00

@TotoTheDragon commented on GitHub (Mar 1, 2024):

7a920ee701/hscontrol/policy/acls.go (L262)

I believe expanded and routeableIP might have to be switched here

Can't we just check if a node is considered an exit node and allow exit nodes to accept all routable IPs? Or am I missing something here?

Yes, but that leaves the same issue for things that arent exit nodes but have some sort of overlap. So instead we want to use the overlaps function

@TotoTheDragon commented on GitHub (Mar 1, 2024): > > https://github.com/juanfont/headscale/blob/7a920ee701f6c1cc5152075bfcd7dae6f6d604c6/hscontrol/policy/acls.go#L262 > > > > I believe expanded and routeableIP might have to be switched here > > Can't we just check if a node is considered an exit node and allow exit nodes to accept all routable IPs? Or am I missing something here? Yes, but that leaves the same issue for things that arent exit nodes but have some sort of overlap. So instead we want to use the overlaps function

adam commented

2025-12-29 02:21:36 +01:00

@kradalby commented on GitHub (Mar 4, 2024):

Sorry, I've missed this, I think it makes sense to expand this to ensure it doesnt remove the routes, I think both autogroup:internet and more tests (which I am always for) sounds sensible to start with.

I've added this to the 0.23.0 milestone

@kradalby commented on GitHub (Mar 4, 2024): Sorry, I've missed this, I think it makes sense to expand this to ensure it doesnt remove the routes, I think both `autogroup:internet` and more tests (which I am always for) sounds sensible to start with. I've added this to the 0.23.0 milestone

adam commented

2025-12-29 02:21:36 +01:00

@kfkawalec commented on GitHub (Apr 25, 2024):

There is a way to fix this problem without:
{ "action": "accept", "src": [""], "dst": [":*"] },

@kfkawalec commented on GitHub (Apr 25, 2024): There is a way to fix this problem without: { "action": "accept", "src": ["*"], "dst": ["*:*"] },

adam commented

2025-12-29 02:21:37 +01:00

@ml-mf commented on GitHub (Apr 29, 2024):

There is a way to fix this problem without: { "action": "accept", "src": [""], "dst": [":*"] },

Can you elaborate on this a little more? I don't get how you think you solved this?

@ml-mf commented on GitHub (Apr 29, 2024): > There is a way to fix this problem without: { "action": "accept", "src": ["_"], "dst": ["_:*"] }, Can you elaborate on this a little more? I don't get how you think you solved this?

adam commented

2025-12-29 02:21:37 +01:00

@kradalby commented on GitHub (Apr 29, 2024):

This should be addressed in https://github.com/juanfont/headscale/pull/1917, it also addresses #1817.

If any have the opportunity to test it before it gets merged that would be great!

@kradalby commented on GitHub (Apr 29, 2024): This should be addressed in https://github.com/juanfont/headscale/pull/1917, it also addresses #1817. If any have the opportunity to test it before it gets merged that would be great!

adam commented

2025-12-29 02:21:37 +01:00

@kradalby commented on GitHub (Apr 30, 2024):

This issue should now have been addressed in https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha10, please let me know

@kradalby commented on GitHub (Apr 30, 2024): This issue should now have been addressed in https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha10, please let me know

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#647