starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-13 12:50:32 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

headscale 0.23.0-alpha5 ignores /32 masks in ACLs #662

New Issue
Closed
opened 2025-12-29 02:21:45 +01:00 by adam · 3 comments
adam commented 2025-12-29 02:21:45 +01:00
Owner
Copy Link

Originally created by @winterheart on GitHub (Mar 7, 2024).

Bug description

We have tailnet network with node1 as subnet router to 172.16.0.0/24 network.

After updating to 0.23.0-alpha5 some of our users lost access to resources provided by ACL. Here short example of acl.yaml:

groups:
  group:access:
    - user1
hosts:
  net.vlan0: 172.16.0.0/24
  net.dns01: 172.16.0.21/32
# ...
acls:
  - action: accept
    src:
      - group:access
    dst:
      - tag:access-servers:* # node1 in it
      - net.dns01:*

Users in group access (user1) now cannot access to 172.16.0.21. If I change net.dns01 with net.vlan0 in ACL, user1 can ping
172.16.0.21 (and other addresses in 172.16.0/24 too which is undesirable). Previous version 0.22.3 was allowed access to hosts with /32 mask.

Environment

  • OS: Linux
  • Headscale version: 0.23.0-alpha5
  • Tailscale version: 1.56, 1.60
  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

To Reproduce

Have subnet router and ACLs to networks behind it.

Logs and attachments

netmap with acl /32 in config:

...
                {
                        "SrcIPs": [
                                "100.64.0.3/32",
                                "fd7a:115c:a1e0::b/128"
                        ]
                        "DstPorts": [
                                {
                                        "IP": "100.64.0.2/32",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "fd7a:115c:a1e0::2/128",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                        ]
                 }

netmap with acl /24 in config:

...
                {
                        "SrcIPs": [
                                "100.64.0.3/32",
                                "fd7a:115c:a1e0::b/128"
                        ]
                        "DstPorts": [
                                {
                                        "IP": "100.64.0.2/32",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "fd7a:115c:a1e0::2/128",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                },
                                {
                                        "IP": "172.16.0.0/24",
                                        "Bits": null,
                                        "Ports": {
                                                "First": 0,
                                                "Last": 65535
                                        }
                                }
                        ]
                 }
Originally created by @winterheart on GitHub (Mar 7, 2024). <!-- Before posting a bug report, discuss the behaviour you are expecting with the Discord community to make sure that it is truly a bug. The issue tracker is not the place to ask for support or how to set up Headscale. Bug reports without the sufficient information will be closed. Headscale is a multinational community across the globe. Our language is English. All bug reports needs to be in English. --> ## Bug description We have tailnet network with node1 as subnet router to `172.16.0.0/24` network. After updating to 0.23.0-alpha5 some of our users lost access to resources provided by ACL. Here short example of acl.yaml: ``` groups: group:access: - user1 hosts: net.vlan0: 172.16.0.0/24 net.dns01: 172.16.0.21/32 # ... acls: - action: accept src: - group:access dst: - tag:access-servers:* # node1 in it - net.dns01:* ``` Users in group `access` (user1) now cannot access to 172.16.0.21. If I change `net.dns01` with `net.vlan0` in ACL, user1 can ping 172.16.0.21 (and other addresses in 172.16.0/24 too which is undesirable). Previous version 0.22.3 was allowed access to hosts with /32 mask. <!-- A clear and concise description of what the bug is. Describe the expected bahavior and how it is currently different. If you are unsure if it is a bug, consider discussing it on our Discord server first. --> ## Environment <!-- Please add relevant information about your system. For example: - Version of headscale used - Version of tailscale client - OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version - Kernel version - The relevant config parameters you used - Log output --> - OS: Linux - Headscale version: 0.23.0-alpha5 - Tailscale version: 1.56, 1.60 <!-- We do not support running Headscale in a container nor behind a (reverse) proxy. If either of these are true for your environment, ask the community in Discord instead of filing a bug report. --> - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ## To Reproduce Have subnet router and ACLs to networks behind it. <!-- Steps to reproduce the behavior. --> ## Logs and attachments <!-- Please attach files with: - Client netmap dump (see below) - ACL configuration - Headscale configuration Dump the netmap of tailscale clients: `tailscale debug netmap > DESCRIPTIVE_NAME.json` Please provide information describing the netmap, which client, which headscale version etc. --> netmap with acl /32 in config: ``` ... { "SrcIPs": [ "100.64.0.3/32", "fd7a:115c:a1e0::b/128" ] "DstPorts": [ { "IP": "100.64.0.2/32", "Bits": null, "Ports": { "First": 0, "Last": 65535 } }, { "IP": "fd7a:115c:a1e0::2/128", "Bits": null, "Ports": { "First": 0, "Last": 65535 } }, ] } ``` netmap with acl /24 in config: ``` ... { "SrcIPs": [ "100.64.0.3/32", "fd7a:115c:a1e0::b/128" ] "DstPorts": [ { "IP": "100.64.0.2/32", "Bits": null, "Ports": { "First": 0, "Last": 65535 } }, { "IP": "fd7a:115c:a1e0::2/128", "Bits": null, "Ports": { "First": 0, "Last": 65535 } }, { "IP": "172.16.0.0/24", "Bits": null, "Ports": { "First": 0, "Last": 65535 } } ] } ```
adam added the bug label 2025-12-29 02:21:45 +01:00
adam closed this issue 2025-12-29 02:21:45 +01:00
adam commented 2025-12-29 02:21:46 +01:00
Author
Owner
Copy Link

@winterheart commented on GitHub (Mar 7, 2024):

Seems this regression somehow related to #1786 as exit-node functionality is broken too in our environment.

@winterheart commented on GitHub (Mar 7, 2024): Seems this regression somehow related to #1786 as exit-node functionality is broken too in our environment.
adam commented 2025-12-29 02:21:46 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Apr 29, 2024):

This should be addressed in https://github.com/juanfont/headscale/pull/1917, it also addresses #1786.

If you have the opportunity to test it before it gets merged that would be great!

@kradalby commented on GitHub (Apr 29, 2024): This should be addressed in https://github.com/juanfont/headscale/pull/1917, it also addresses #1786. If you have the opportunity to test it before it gets merged that would be great!
adam commented 2025-12-29 02:21:46 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Apr 30, 2024):

This should be addressed in https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha10, check it out.

@kradalby commented on GitHub (Apr 30, 2024): This should be addressed in https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha10, check it out.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#662
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?