headscale icon indicating copy to clipboard operation
headscale copied to clipboard
verified publisher icon juanfont

[Bug] ACLs with exact ip addresses don't work

Open maxpain opened this issue 1 year ago • 3 comments

This works:

"acls": [{
	"action": "accept",
	"src": ["group:fastcup-ml"],
	"dst": ["10.126.0.0/20:5432"],
}]

But this doesn't:

"acls": [{
	"action": "accept",
	"src": ["group:fastcup-ml"],
	"dst": ["10.126.0.2:5432"],
}]

The users in group:fastcup-ml don't see the server which announces 10.126.0.0/20 subnet in their tailscale status output.

maxpain avatar Oct 08 '24 19:10 maxpain

Can you try with "dst": ["10.126.0.2/32:5432"], (adding /32 after the IP address), please?

nblock avatar Oct 09 '24 04:10 nblock

Can you try with "dst": ["10.126.0.2/32:5432"], (adding /32 after the IP address), please?

Already tried. Doesn’t work.

maxpain avatar Oct 09 '24 08:10 maxpain

Hi @maxpain, we have an issue template asking for a series of information and proposing debug information for us to be able to debug this quicker and making our life easier as maintainers. Please follow it and fill it out.

We need to see the output of certain things to figure out what is happening and it saves us a great deal of time if you help us since you have the setup already instead of us having to replicate it.

If you would have followed the template, it would have proposed to use tailscale debug netmap to help us with info we need. image

Please go back and fill out all the information and provide a netmap dump from the relevant clients with the two different settings, the working one and the broken one. If not all the information is filled out, we will have to close the issue, thank you.

kradalby avatar Oct 12 '24 12:10 kradalby

@kradalby, sorry about this. I've updated the issue.

maxpain avatar Nov 08 '24 20:11 maxpain

Tested with 93afb03f6756983d85fe3f39666d21430a886dae and could reproduce it (with a slightly simplified ACL):

$ headscale user list
ID | Name | Username | Email | Created            
1  |      | admin    |       | 2025-05-02 12:23:59
2  |      | user     |       | 2025-05-02 12:24:00

$ headscale nodes list
ID | Hostname | Name   | MachineKey | NodeKey | User  | IP addresses                  | Ephemeral | Last seen | Expiration | Connected | Expired
1  | router   | router | [lPNFs]    | [CT9dL] | admin | 100.64.0.1, fd7a:115c:a1e0::1 | false     |           | N/A        | online    | no     
2  | node     | node   | [XC7jE]    | [nLKKr] | user  | 100.64.0.2, fd7a:115c:a1e0::2 | false     |           | N/A        | online    | no   

$ headscale nodes  list-routes
ID | Hostname | Approved     | Available    | Serving (Primary)
1  | router   | 10.99.0.0/16 | 10.99.0.0/16 | 10.99.0.0/16   

{
  "groups": {
    "group:test-project": [
      "user@"
    ]
  },
  "acls": [
    {
      "action": "accept",
      "src": [
        "*"
      ],
      "dst": [
        "router:0"
      ]
    },
    {
      "action": "accept",
      "src": [
        "group:test-project"
      ],
      "dst": [
        "10.99.0.0/16:*"     // works
        // "10.99.0.2/32:*"  // does not work
      ]
    }
  ]
}

A service listening on 10.99.0.2:8000 is reachable from node when the destination is 10.99.0.0/16:*. Access is no longer possible if the destination is changed to 10.99.0.2/32:*.

A dummy interface can be used to simulate a service:

$ ip link add dummy0 type dummy
$ ip addr add 10.99.0.2/16 dev dummy0
$ ip link set dummy0 up
$ python3 -m http.server -b 10.99.0.2

nblock avatar May 02 '25 12:05 nblock