headscale icon indicating copy to clipboard operation
headscale copied to clipboard

Published 20 hours ago verified publisher icon juanfont

ACLs not working with IPV6 (reopening of #809)

Open paladincorners opened this issue 2 years ago • 4 comments

Bug description

In ACLs, if using an IPV6 address, e.g. "2000::/3:*" in the "dest" field (to allow access to the internet through IPv6 through exit nodes), you get the following error: FTL Could not load the ACL policy error="failed to parse destination, tokens [2000 /3 *]: invalid port format"

This is akin to the issue in #809. Although I am on headscale v0.22.3, I cannot upgrade to v0.23 due to possibly related issue #1604. I did check the commit history though for the fix for #809 and the fix should have been incorporated in v0.22.2 already.

Note that the solution of adding the IPv6 as a host first did not work for me and resulted in another error.

Environment

  • Version of headscale used: 0.22.3
  • Version of tailscale client: 1.52
  • OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: Ubuntu server
  • [ No] Headscale is behind a (reverse) proxy
  • [ No] Headscale runs in a container

To Reproduce

  1. Add following rule to ACL (rule should enable all IPv4 and IPv6 traffic to internet through exit nodes):
{
      "action": "accept",
      "src": ["*"],
      "dst": ["0.0.0.0/5:*", "8.0.0.0/7:*", "11.0.0.0/8:*", "12.0.0.0/6:*", "16.0.0.0/4:*", "32.0.0.0/3:*", "64.0.0.0/3:*", "96.0.0.0/6:*", "100.0.0.0/10:*", "100.128.0.0/9:*", "101.0.0.0/8:*", "102.0.0.0/7:*", "104.0.0.0/5:*", "112.0.0.0/4:*", "128.0.0.0/3:*", "160.0.0.0/5:*", "168.0.0.0/8:*", "169.0.0.0/9:*", "169.128.0.0/10:*", "169.192.0.0/11:*", "169.224.0.0/12:*", "169.240.0.0/13:*", "169.248.0.0/14:*", "169.252.0.0/15:*", "169.255.0.0/16:*", "170.0.0.0/7:*", "172.0.0.0/12:*", "172.32.0.0/11:*", "172.64.0.0/10:*", "172.128.0.0/9:*", "173.0.0.0/8:*", "174.0.0.0/7:*", "176.0.0.0/4:*", "192.0.0.0/9:*", "192.128.0.0/11:*", "192.160.0.0/13:*", "192.169.0.0/16:*", "192.170.0.0/15:*", "192.172.0.0/14:*", "192.176.0.0/12:*", "192.192.0.0/10:*", "193.0.0.0/8:*", "194.0.0.0/7:*", "196.0.0.0/6:*", "200.0.0.0/5:*", "208.0.0.0/4:*", "2000::/3"],
    },
  1. Run headscale serve
  2. Get error

paladincorners avatar Nov 16 '23 17:11 paladincorners

You're missing the port, and I think you need square brackets around your IP

See: https://tailscale.com/kb/1018/acls/

Tailscale IP | 100.101.102.103 | Only the device that owns the given Tailscale IP. IPv6 addresses must follow the format [1:2:3::4]:80.

Try using "[2000::/3]:*"

Sh4d avatar Nov 17 '23 18:11 Sh4d

Hi, thank you for the advice. Your suggestion appears to work if I add the IPv6 IP "[2000::/3]:*" as a host first and then used the host name in the ACL rule. However, using the IP directly in the rule, with the format you specified, still did not work.

paladincorners avatar Nov 19 '23 10:11 paladincorners

Looks like that's a client limitation. See https://github.com/tailscale/tailscale/issues/4727

Sh4d avatar Nov 19 '23 19:11 Sh4d

See https://github.com/juanfont/headscale/commit/c72401a99b4cdf49655b08b2f4d5c3a49ae116c2

neeythann avatar Nov 25 '23 11:11 neeythann

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Feb 24 '24 01:02 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Mar 02 '24 01:03 github-actions[bot]