Add support for autoApprovers ACL #763
Conversation
tsujamin
force-pushed
the
autoapprovers
branch
from
44e4a8f to
60cc9dd
Compare
|
@tsujamin can you update the PR to fix the conflict and replace inet.af/netaddr with net/netip? |
|
merged and refactored |
|
linting issues fixed |
There was a problem hiding this comment.
I think this looks pretty very good, I would have liked to see these kind of tests for functions like GetRouteApprovers.
We also need a CHANGELOG entry.
| } | ||
| } | ||
|
|
||
| for _, approvedRoute := range approvedRoutes { |
There was a problem hiding this comment.
I have one concern here, but feel free to let me know if I have missed it:
If a node advertise a route, and at the time it is accepted by the ACL autoapprove, what happens if it is removed from the ACL?
I believe the current behaviour would result in the route being left active, which is probably ok since the feature is Auto approve and not implying that it will keep the settings in sync. However we probably should call this out somewhere, not sure where tho.
There was a problem hiding this comment.
Yeah you're right - if a route advertised by a node is autoApproved under the current policy, and that policy changes, the route will remain approved. As far as I can gather this is similar to the SaaS offering's behaviour: once a route is auto-approved its up to the user to manage it from that point.
Let me know if there's a good place to docco it - another option could be (if my other preauthkey related PR is merged) writing a doc on how to use both features together and call out this behaviour there?
There was a problem hiding this comment.
If this resembles the upstream behaviour, which the name implies, that it will be approved and is not "state management", then it is fine.
You can document them together.
Another quick question, if a route is already announced by a node, but not approved, and then the autoApprove rule is added, will it get approved? Basically, is this evaluated when a node joins/sends an update, etc.
|
awesome - I can add a test like that but since the underlying logic relied on the same expandAlias logic I ommited it for now. do you want me to do the change-log or is that something the maintainers do as a rollup? |
You can add the changelog. |
tsujamin
force-pushed
the
autoapprovers
branch
from
6f9699a to
d764f52
Compare
| return nil, err | ||
| } | ||
|
|
||
| if autoApprovedPrefix.Bits() >= prefix.Bits() && |
There was a problem hiding this comment.
I think this logic might be the wrong way around?
i.e if I have an auto approved prefix of 10.0.0.0/8 and then I try to advertise 10.1.0.0/24, I would expect autoApprovedPrefix.Bits() == 8 and prefix.Bits() == 24, or am I misunderstanding this?
I ask because I tried out the parent prefix thing and it doesn't seem to work for me. For now I'm going to add all 255 /24s I need to my ACL to move on xD. If I get some time later I might try forking and inverting this logic and see if it fixes my issue.
There was a problem hiding this comment.
Wow, thanks for the speedy response. And also thanks for shipping this very hype feature :)
There was a problem hiding this comment.
np, nothing good on tv right now 😂 should be fixed in #862 hopefully
I've patched in support for AutoApprovers for exit nodes and subnets per https://tailscale.com/blog/auto-approvers/
The behaviour of the code is (currently)
Let me know what you think, happy to tweak as far as my limited go skills allow