Skip to content

types: Distinguish subnet and exit node access #2855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kradalby merged 6 commits into from
Nov 2, 2025
Merged

types: Distinguish subnet and exit node access #2855

kradalby merged 6 commits into from
Nov 2, 2025

Conversation

@kradalby
Copy link
Collaborator

@kradalby kradalby commented Nov 1, 2025

When we fixed the issue of node visibility of nodes
that only had access to each other because of a subnet
route, we gave all nodes access to all exit routes by
accident.

This commit splits exit nodes and subnet routes in the
access.

If a matcher indicates that the node should have access to
any part of the subnet routes, we do not remove it from the
node list.

If a matcher destination is equal to the internet, and the
target node is an exit node, we also do not remove the access.

Fixes #2784
Fixes #2788

@kradalby kradalby requested a review from juanfont as a code owner November 1, 2025 21:35
@kradalby
policy: Reproduce exit node visibility issues
7be765a 
Reproduces juanfont#2784 and juanfont#2788

Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby
types: split SubnetRoutes and ExitRoutes
47cf26b 
There are situations where the subnet routes and exit nodes
must be treated differently. This splits it so SubnetRoutes
only returns routes that are not exit routes.

It adds `IsExitRoutes` and `AllApprovedRoutes` for convenience.

Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby
state: use AllApprovedRoutes instead of SubnetRoutes
5cfff99 
Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby
types: NodeView CanAccess uses internal
7e80372 
Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby
matcher: Add func for comparing Dests and TheInternet
fe9060e 
Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby
types: Distinguish subnet and exit node access
f247467 
When we fixed the issue of node visibility of nodes
that only had access to eachother because of a subnet
route, we gave all nodes access to all exit routes by
accident.

This commit splits exit nodes and subnet routes in the
access.

If a matcher indicates that the node should have access to
any part of the subnet routes, we do not remove it from the
node list.

If a matcher destination is equal to the internet, and the
target node is an exit node, we also do not remove the access.

Fixes juanfont#2784
Fixes juanfont#2788

Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby kradalby force-pushed the kradalby/2788-exit-visibility branch from f63d45b to f247467 Compare November 2, 2025 09:38
@kradalby kradalby merged commit 2024219 into juanfont:main Nov 2, 2025
93 of 95 checks passed
nblock added a commit to nblock/headscale that referenced this pull request Nov 5, 2025
@nblock
Document how to restrict access to exit nodes per user/group
1d9943c 
Updates: juanfont#2855
Ref: juanfont#2784
@nblock nblock mentioned this pull request Nov 5, 2025
Merged
6 tasks
nblock added a commit that referenced this pull request Nov 11, 2025
@nblock
Document how to restrict access to exit nodes per user/group
abed534 
Updates: #2855
Ref: #2784
@chenrui333 chenrui333 mentioned this pull request Nov 11, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nblock nblock nblock approved these changes

@juanfont juanfont Awaiting requested review from juanfont juanfont is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

2 participants

@kradalby @nblock