headscale
headscale copied to clipboard
juanfont
Reducing filter rules breaks exit node access
Bug description
When setting up an ACL to allow access to a exit node, the access rules can be reduced because the ips defined are not in use by the network or routes.
Environment
- OS: N/A
- Headscale version:
- Tailscale version: N/A
- [ ] Headscale is behind a (reverse) proxy
- [ ] Headscale runs in a container
To Reproduce
Logs and attachments
Trying to create the following setup:
- user1-user3 are part of the group "team"
- user "internal" contains internal services/servers
- "internal" should not be able to access anything
- "team" should be able to access all of "internal"
- "team" members should be able to access all own devices but not other users
- "internal" contains multiple exit nodes
If I just use the following ACL, the "team" members are able to successfully access all "internal" devices. However when trying to use a exit node inside "internal" it is not possible to ping/access any devices outside the tailscale network.
{ "action": "accept", "src": ["group:team"], "dst": ["internal:*"] },
{
"groups": {
"group:team": ["user3", "user2", "user1"]
},
"acls": [
{ "action": "accept", "src": ["group:team"], "dst": ["internal:*"] },
{
"action": "accept",
"src": ["group:team"],
"dst": [ "0.0.0.0/5:*",
"8.0.0.0/7:*",
"11.0.0.0/8:*",
"12.0.0.0/6:*",
"16.0.0.0/4:*",
"32.0.0.0/3:*",
"64.0.0.0/2:*",
"128.0.0.0/3:*",
"160.0.0.0/5:*",
"168.0.0.0/6:*",
"172.0.0.0/12:*",
"172.32.0.0/11:*",
"172.64.0.0/10:*",
"172.128.0.0/9:*",
"173.0.0.0/8:*",
"174.0.0.0/7:*",
"176.0.0.0/4:*",
"192.0.0.0/9:*",
"192.128.0.0/11:*",
"192.160.0.0/13:*",
"192.169.0.0/16:*",
"192.170.0.0/15:*",
"192.172.0.0/14:*",
"192.176.0.0/12:*",
"192.192.0.0/10:*",
"193.0.0.0/8:*",
"194.0.0.0/7:*",
"196.0.0.0/6:*",
"200.0.0.0/5:*",
"208.0.0.0/4:*"
]
},
{ "action": "accept", "src": ["user3"], "dst": ["user3:*"] },
{ "action": "accept", "src": ["user2"], "dst": ["user2:*"] },
{ "action": "accept", "src": ["user1"], "dst": ["user1:*"] }
]
}
Some options to improve this:
-
Add more tests for reducing filter rules, then amend the function so it passes
-
Support
autogroup:internet
https://github.com/juanfont/headscale/blob/7a920ee701f6c1cc5152075bfcd7dae6f6d604c6/hscontrol/policy/acls.go#L262
I believe expanded and routeableIP might have to be switched here
https://github.com/juanfont/headscale/blob/7a920ee701f6c1cc5152075bfcd7dae6f6d604c6/hscontrol/policy/acls.go#L262
I believe expanded and routeableIP might have to be switched here
Can't we just check if a node is considered an exit node and allow exit nodes to accept all routable IPs? Or am I missing something here?
https://github.com/juanfont/headscale/blob/7a920ee701f6c1cc5152075bfcd7dae6f6d604c6/hscontrol/policy/acls.go#L262
I believe expanded and routeableIP might have to be switched here
Can't we just check if a node is considered an exit node and allow exit nodes to accept all routable IPs? Or am I missing something here?
Yes, but that leaves the same issue for things that arent exit nodes but have some sort of overlap. So instead we want to use the overlaps function
Sorry, I've missed this, I think it makes sense to expand this to ensure it doesnt remove the routes, I think both autogroup:internet and more tests (which I am always for) sounds sensible to start with.
I've added this to the 0.23.0 milestone
There is a way to fix this problem without: { "action": "accept", "src": [""], "dst": [":*"] },
There is a way to fix this problem without: { "action": "accept", "src": [""], "dst": [":*"] },
Can you elaborate on this a little more? I don't get how you think you solved this?
This should be addressed in https://github.com/juanfont/headscale/pull/1917, it also addresses #1817.
If any have the opportunity to test it before it gets merged that would be great!
This issue should now have been addressed in https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha10, please let me know