Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] ACL can't work with netmask smaller than /24 #1955

Closed
3 of 4 tasks
duongmn89 opened this issue May 20, 2024 · 7 comments
Closed
3 of 4 tasks

[Bug] ACL can't work with netmask smaller than /24 #1955

duongmn89 opened this issue May 20, 2024 · 7 comments
Labels
bug Something isn't working policy 📝
Milestone
v0.23.0

Comments

@duongmn89
Copy link

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I've been working with headscale ACL for taiscale clients.
My current ACL file

{
  "groups": {
    "group:sre": ["sre1", "sre2"],
    "group:dev": ["dev1", "dev2"]
  },
  "tagOwners": {
    "tag:exitnode": ["group:sre"],
  },
  "acls": [
    { "action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:self:*"] },
    { "action": "accept", "src": ["*"], "dst": ["tag:exitnode:*"] },
    { "action": "accept", "src": ["group:sre"], "dst": ["*:*"] },
    { "action": "accept", "src": ["group:dev"], "dst": ["10.20.1.0/25:8006"] },
    { "action": "accept", "src": ["group:dev"], "dst": ["10.21.1.0/24:80,443"] }
  ]
}

With this configuration, from 1 of my dev nodes, I test connection through an exit node :

  • I can connect to 10.21.1.33 tcp/80 (match with 5th rule)
  • but I can't connect to 10.20.1.113 tcp/8006 (match with 4th rule)
    In the log of tailscale on dev nodes:
open-conn-track: flow TCP 100.64.0.5:43166 > 10.20.1.113:8006 rejected due to acl

If I change 4th rule to 10.20.1.0/24:8006 or 10.20.0.0/16:8006 instead of 10.20.1.0/25:8006, then the connection can be opened.
I tested with /32, /30 also didn't work, but /24, /16 are work
I also tried to replace 10.20.1.0/25 with host definition, but also didn't work

Expected Behavior

I can connect 10.20.1.113:8006 with one of these acl:

    { "action": "accept", "src": ["group:dev"], "dst": ["10.20.1.113/32:8006"] },
or 
    { "action": "accept", "src": ["group:dev"], "dst": ["10.20.1.0/25:8006"] },
or 
    { "action": "accept", "src": ["group:dev"], "dst": ["10.20.1.0/24:8006"] },

Steps To Reproduce

Create ACL at headscale and test at tailscale

Environment

- OS: ubuntu 22.04
- Headscale version: v0.23.0-alpha9
- Tailscale version: 1.66.1

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response
@duongmn89 duongmn89 added the bug Something isn't working label May 20, 2024
@duongmn89
Copy link
Author

I want to dump current acl at tailscale client but I can't find any solutions to do that.

@duongmn89
Copy link
Author

I tested with headscale version v0.22.3 and didn't see this problem, ACL can work as expected with /32 or /25 or /24
So I guess this is the new bug of v0.23.0-alpha9

@winterheart
Copy link
Contributor

This should be fixed in alpha10, see #1817.

@kradalby
Copy link
Collaborator

@duongmn89 can you test if it is fixed as mentioned?

@kradalby kradalby added this to the v0.23.0 milestone May 21, 2024
@duongmn89
Copy link
Author

Thanks, I will test alpha10 today

@duongmn89
Copy link
Author

@kradalby @winterheart this problem does not exist in alpha10, thanks

@kradalby
Copy link
Collaborator

Great!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working policy 📝
Projects
None yet
Milestone
v0.23.0
Development

No branches or pull requests
3 participants
@winterheart @kradalby @duongmn89