mirror of
https://github.com/juanfont/headscale.git
synced 2025-11-07 04:42:52 -05:00
types: Distinguish subnet and exit node access
When we fixed the issue of node visibility of nodes that only had access to eachother because of a subnet route, we gave all nodes access to all exit routes by accident. This commit splits exit nodes and subnet routes in the access. If a matcher indicates that the node should have access to any part of the subnet routes, we do not remove it from the node list. If a matcher destination is equal to the internet, and the target node is an exit node, we also do not remove the access. Fixes #2784 Fixes #2788 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
This commit is contained in:
Kristoffer Dalby
committed by
Kristoffer Dalby
Kristoffer Dalby
parent
d9c3eaf8c8
commit
2024219bd1
@@ -319,9 +319,16 @@ func (node *Node) CanAccess(matchers []matcher.Match, node2 *Node) bool {
|
|||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if the node has access to routes that might be part of a
|
||||||
|
// smaller subnet that is served from node2 as a subnet router.
|
||||||
if matcher.DestsOverlapsPrefixes(node2.SubnetRoutes()...) {
|
if matcher.DestsOverlapsPrefixes(node2.SubnetRoutes()...) {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// If the dst is "the internet" and node2 is an exit node, allow access.
|
||||||
|
if matcher.DestsIsTheInternet() && node2.IsExitNode() {
|
||||||
|
return true
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return false
|
return false
|
||||||
|
|||||||
Reference in New Issue
Block a user