Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACL src/dst with host-alias not working #941

Closed
razza-guhl opened this issue Nov 7, 2022 · 8 comments · Fixed by #1304
Closed

ACL src/dst with host-alias not working #941

razza-guhl opened this issue Nov 7, 2022 · 8 comments · Fixed by #1304
Labels
bug Something isn't working

Comments

@razza-guhl
Copy link

Bug description

Using host alias as dst/destination in ACLs does not work. In this case no node can talk to each other. The command "tailscale status" only shows itself.
Same applies by using alias in src/source as well.

When using the IP instead host alias, the ACL works.

To Reproduce

A sample ACL which is not working:

{
    "hosts": {
        "client1": "100.64.0.1",
        "client2": "100.64.0.2",
        "server":  "100.64.0.4",
    },

    "acls": [
        {
            "action": "accept",
            "src": [
                "*",
            ],
            "dst": [
                "server:22,80",
            ],
        },
    ],
}

Context info

  • Version of headscale used: 0.17.0-beta2
  • Version of tailscale client: 1.32.2 (Windows), 1.32.0 (Linux)
  • OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: Windows 10, Linux DietPi v8.9.2
  • Kernel version: 5.15.61-v8+
  • The relevant config parameters you used: see above
  • Log output: no
@razza-guhl razza-guhl added the bug Something isn't working label Nov 7, 2022
@razza-guhl
Copy link
Author

razza-guhl commented Nov 8, 2022
edited
Loading

I tested the ACL on headscale version 0.16.4 (stable) with the same result

@camaeel
Copy link

camaeel commented Nov 28, 2022
edited
Loading

I have similar issues when using minimal acl at version 0.17.0:

acls: 
- src:
  - "*"
  dest:
  - "*:*"
  action: "accept"

@kradalby
Copy link
Collaborator

ACLs are in a fragile state and we are getting to a point where we can start writing tests to verify that they work, so we will hopefully have time to improve and fix them from now on, but I cannot give an ETA.

@camaeel
Copy link

camaeel commented Nov 29, 2022

Then maybe it should be marked as not fully functional in the docs.

@12nick12
Copy link

12nick12 commented Dec 6, 2022

I can't wait till they're 100%. Right now it works if I have * open to *:anyport, but that means all devices get shown on each host.

@camaeel
Copy link

camaeel commented Dec 6, 2022

@kradalby Maybe there are some issues describing what is exactly missing/not working, so the community could help here?
Is it possible to test in an automated way what is working and what is not? Wither with unit tests or integration tests (using for example testcontainers to setup "the test case")?

@kradalby
Copy link
Collaborator

@camaeel my goal is to start writing these tests this week. which should hopefully make it more clear what is and isnt working because right now we actually dont know.

@camaeel
Copy link

camaeel commented Dec 15, 2022

That would be great.
I tried to figure out how tailscale client gets the data about other nodes? Does it call the same api that is used by the headscale cli, or something else?

@kradalby kradalby mentioned this issue Dec 16, 2022
Closed
@kradalby kradalby mentioned this issue Mar 31, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add tests to verify "Hosts" aliases in ACL kradalby/headscale
4 participants
@kradalby @camaeel @12nick12 @razza-guhl