MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-11-25 03:46:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

Filter exit routes through ACL policy to fix issue #2788

Browse Source 
Exit nodes are now only visible to nodes that have permission to use them
according to ACL policy. Previously, exit routes (0.0.0.0/0 and ::/0) were
unconditionally added to the AllowedIPs field in the network map, making
exit nodes visible to all peers regardless of policy.

Changes:
- Modified buildTailPeers and WithSelfNode in builder.go to filter exit
  routes through policy.ReduceRoutes, same as primary routes
- Removed unconditional addition of exit routes in tail.go tailNode function
- Updated tail_test.go to reflect new behavior where exit routes are filtered

The fix ensures that exit nodes are only visible when a node has
autogroup:internet in their ACL destination rules.

Co-authored-by: kradalby <98431+kradalby@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-11-01 08:52:29 +00:00
parent a55cdc2636
commit e0107024e8
3 changed files with 35 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hscontrol/mapper/tail.go
View File

@@ -88,9 +88,9 @@ func tailNode(
}
tags = lo.Uniq(tags)
// Get filtered routes (includes both primary routes and exit routes if allowed by policy)
routes := primaryRouteFunc(node.ID())
allowed := append(addrs, routes...)
allowed = append(allowed, node.ExitRoutes()...)
tsaddr.SortPrefixes(allowed)
tNode := tailcfg.Node{