headscale icon indicating copy to clipboard operation
headscale copied to clipboard
verified publisher icon juanfont

Various ACL rules not working

Open madjam002 opened this issue 3 years ago • 0 comments

There are various scenarios that I've found where ACL rules are not working in Headscale as expected:

  • IPv6 addresses or prefixes are not supported in dst (error Could not load the ACL policy error="invalid port format") unless they are in the hosts alias map and an alias is used instead.
  • dst: *:* (existing bug report - https://github.com/juanfont/headscale/issues/699)
  • Using src/dst rules with subnet router CIDRs does not send the subnet router peer itself. A dummy rule e.g subnetrouterip:0 must be defined in the ACLs to make it work.
  • If a node is tagged with headscale nodes tag, no peers are sent to the node even if the packet filter allows for it. Untagging the node then correctly sends the peers.

Context info

  • Version of headscale used a0a463494b0160c12098ae436cf453f15861e155
  • Version of tailscale client 1.30.0
  • OS NixOS 22.05
  • Kernel version 5.15.67

madjam002 avatar Sep 15 '22 12:09 madjam002