MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-11-21 10:06:00 -05:00
Code Issues Packages Projects Releases Wiki Activity

Address code review feedback - clarify comments and logic

Browse Source 
- Fixed DestsContainsPrefixes comment to accurately describe behavior (checks if ANY prefix is contained)
- Enhanced canUseExitRoutes documentation to explain why checking ANY sample public IP is sufficient
- Clarified that DestsContainsIP variadic behavior is intentional and correct for internet access detection

No code logic changes, only documentation improvements.

Co-authored-by: kradalby <98431+kradalby@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-11-01 08:59:28 +00:00
parent 31bf3a6637
commit 4aa9292b91
3 changed files with 14 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
hscontrol/mapper/builder.go
View File

@@ -20,16 +20,20 @@ import (
//
// Exit routes should only be visible when the ACL explicitly grants broad internet
// access (e.g., via autogroup:internet), not just access to specific services.
//
// The function tests if the ACL grants access to well-known public DNS servers.
// If any of these are accessible, it indicates the ACL grants broad internet access
// (as opposed to just specific private services), which is sufficient for exit node usage.
func canUseExitRoutes(node types.NodeView, matchers []matcher.Match) bool {
src := node.IPs()
// Sample public internet IPs to test for broad internet access.
// If the ACL grants access to these well-known public IPs, it's granting
// internet access (e.g., via autogroup:internet).
// Use popular public DNS servers as representatives of internet access.
// If the ACL grants access to any of these well-known public IPs, it indicates
// broad internet access (e.g., via autogroup:internet) rather than just access
// to specific private services.
samplePublicIPs := []netip.Addr{
netip.MustParseAddr("1.1.1.1"), // Cloudflare DNS
netip.MustParseAddr("8.8.8.8"), // Google DNS
netip.MustParseAddr("1.1.1.1"), // Cloudflare DNS
netip.MustParseAddr("8.8.8.8"), // Google DNS
netip.MustParseAddr("208.67.222.222"), // OpenDNS
}
@@ -40,7 +44,8 @@ func canUseExitRoutes(node types.NodeView, matchers []matcher.Match) bool {
continue
}
// Check if the destination includes public internet IPs.
// Check if the destination includes any public internet IPs.
// DestsContainsIP returns true if ANY of the provided IPs is in the destination set.
// This will be true for autogroup:internet (which resolves to the public internet)
// but false for rules that only allow access to specific private IPs or services.
if matcher.DestsContainsIP(samplePublicIPs...) {