MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-11-23 02:47:40 -05:00
Code Issues Packages Projects Releases Wiki Activity

Filter exit routes through ACL policy to fix issue #2788

Browse Source 
Exit nodes are now only visible to nodes that have permission to use them
according to ACL policy. Previously, exit routes (0.0.0.0/0 and ::/0) were
unconditionally added to the AllowedIPs field in the network map, making
exit nodes visible to all peers regardless of policy.

Changes:
- Modified buildTailPeers and WithSelfNode in builder.go to filter exit
  routes through policy.ReduceRoutes, same as primary routes
- Removed unconditional addition of exit routes in tail.go tailNode function
- Updated tail_test.go to reflect new behavior where exit routes are filtered

The fix ensures that exit nodes are only visible when a node has
autogroup:internet in their ACL destination rules.

Co-authored-by: kradalby <98431+kradalby@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-11-01 08:52:29 +00:00
parent a55cdc2636
commit e0107024e8
3 changed files with 35 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
hscontrol/mapper/tail_test.go
View File

@@ -137,10 +137,8 @@ func TestTailNode(t *testing.T) {
),
Addresses: []netip.Prefix{netip.MustParsePrefix("100.64.0.1/32")},
AllowedIPs: []netip.Prefix{
tsaddr.AllIPv4(),
netip.MustParsePrefix("192.168.0.0/24"),
netip.MustParsePrefix("100.64.0.1/32"),
tsaddr.AllIPv6(),
},
PrimaryRoutes: []netip.Prefix{
netip.MustParsePrefix("192.168.0.0/24"),