MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-11-20 09:46:01 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix exit node visibility issue - filter based on autogroup:internet permission

Browse Source 
- Modified tailNode/tailNodes functions to accept exitRouteFilterFunc parameter
- Added canUseExitRoutes helper to check for broad internet access permission
- Added DestsContainsPrefixes method to matcher for checking prefix containment
- Exit routes now only included in peer AllowedIPs when requesting node has internet access
- Added comprehensive unit tests for both scenarios (with and without autogroup:internet)

Fixes #2788

Co-authored-by: kradalby <98431+kradalby@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-11-01 08:53:35 +00:00
parent 309437fa14
commit 31bf3a6637
5 changed files with 422 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
hscontrol/policy/matcher/matcher.go
View File

@@ -91,3 +91,10 @@ func (m *Match) SrcsOverlapsPrefixes(prefixes ...netip.Prefix) bool {
func (m *Match) DestsOverlapsPrefixes(prefixes ...netip.Prefix) bool {
return slices.ContainsFunc(prefixes, m.dests.OverlapsPrefix)
}
// DestsContainsPrefixes checks if the destination IPSet contains all the given prefixes.
// This is more strict than DestsOverlapsPrefixes - it requires the entire prefix to be
// contained in the destination, not just overlapping.
func (m *Match) DestsContainsPrefixes(prefixes ...netip.Prefix) bool {
return slices.ContainsFunc(prefixes, m.dests.ContainsPrefix)
}