From f693cc085165395b4e2d2256c8bc973b53f4653a Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Tue, 24 Mar 2026 06:44:52 +0000 Subject: [PATCH] CHANGELOG: document grants support for 0.29.0 Updates #2180 --- CHANGELOG.md | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c72424f5..2f6f91a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,11 +25,26 @@ A new `headscale auth` CLI command group supports the approval flow: [#1850](https://github.com/juanfont/headscale/pull/1850) +### Grants + +We now support [Tailscale grants](https://tailscale.com/kb/1324/grants) alongside ACLs. Grants +extend what you can express in a policy beyond packet filtering: the `app` field controls +application-level features like Taildrive file sharing and peer relay, and the `via` field steers +traffic through specific tagged subnet routers or exit nodes. The `ip` field works like an ACL rule. +Grants can be mixed with ACLs in the same policy file. +[#2180](https://github.com/juanfont/headscale/pull/2180) + +As part of this, we added `autogroup:danger-all`. It resolves to `0.0.0.0/0` and `::/0` — all IP +addresses, including those outside the tailnet. This replaces the old behaviour where `*` matched +all IPs (see BREAKING below). The name is intentionally scary: accepting traffic from the entire +internet is a security-sensitive choice. `autogroup:danger-all` can only be used as a source. + ### BREAKING - **ACL Policy**: Wildcard (`*`) in ACL sources and destinations now resolves to Tailscale's CGNAT range (`100.64.0.0/10`) and ULA range (`fd7a:115c:a1e0::/48`) instead of all IPs (`0.0.0.0/0` and `::/0`) [#3036](https://github.com/juanfont/headscale/pull/3036) - This better matches Tailscale's security model where `*` means "any node in the tailnet" rather than "any IP address" - - Policies relying on wildcard to match non-Tailscale IPs will need to use explicit CIDR ranges instead + - Policies that need to match all IP addresses including non-Tailscale IPs should use `autogroup:danger-all` as a source, or explicit CIDR ranges as destinations [#2180](https://github.com/juanfont/headscale/pull/2180) + - `autogroup:danger-all` can only be used as a source; it cannot be used as a destination - **Note**: Users with non-standard IP ranges configured in `prefixes.ipv4` or `prefixes.ipv6` (which is unsupported and produces a warning) will need to explicitly specify their CIDR ranges in ACL rules instead of using `*` - **ACL Policy**: Validate autogroup:self source restrictions matching Tailscale behavior - tags, hosts, and IPs are rejected as sources for autogroup:self destinations [#3036](https://github.com/juanfont/headscale/pull/3036) - Policies using tags, hosts, or IP addresses as sources for autogroup:self destinations will now fail validation @@ -58,6 +73,18 @@ A new `headscale auth` CLI command group supports the approval flow: - Deprecate `headscale nodes register --key` in favour of `headscale auth register --auth-id` [#1850](https://github.com/juanfont/headscale/pull/1850) - Generalise auth templates into reusable `AuthSuccess` and `AuthWeb` components [#1850](https://github.com/juanfont/headscale/pull/1850) - Unify auth pipeline with `AuthVerdict` type, supporting registration, reauthentication, and SSH checks [#1850](https://github.com/juanfont/headscale/pull/1850) +- Add support for policy grants with `ip`, `app`, and `via` fields [#2180](https://github.com/juanfont/headscale/pull/2180) +- Add `autogroup:danger-all` as a source-only autogroup resolving to all IP addresses [#2180](https://github.com/juanfont/headscale/pull/2180) +- Add capability grants for Taildrive (`cap/drive`) and peer relay (`cap/relay`) with automatic companion capabilities [#2180](https://github.com/juanfont/headscale/pull/2180) +- Add per-viewer via route steering — grants with `via` tags control which subnet router or exit node handles traffic for each group of viewers [#2180](https://github.com/juanfont/headscale/pull/2180) +- Enable Taildrive node attributes on all nodes; actual access is controlled by `cap/drive` grants [#2180](https://github.com/juanfont/headscale/pull/2180) +- Fix exit nodes incorrectly receiving filter rules for destinations that only overlap via exit routes [#2180](https://github.com/juanfont/headscale/pull/2180) +- Fix address-based aliases (hosts, raw IPs) incorrectly expanding to include the matching node's other address family [#2180](https://github.com/juanfont/headscale/pull/2180) +- Fix identity-based aliases (tags, users, groups) resolving to IPv4 only; they now include both IPv4 and IPv6 matching Tailscale behavior [#2180](https://github.com/juanfont/headscale/pull/2180) +- Fix wildcard (`*`) source in ACLs now using actually-approved subnet routes instead of autoApprover policy prefixes [#2180](https://github.com/juanfont/headscale/pull/2180) +- Fix non-wildcard source IPs being dropped when combined with wildcard `*` in the same ACL rule [#2180](https://github.com/juanfont/headscale/pull/2180) +- Fix exit node approval not triggering filter rule recalculation for peers [#2180](https://github.com/juanfont/headscale/pull/2180) +- Policy validation error messages now include field context (e.g., `src=`, `dst=`) and are more descriptive [#2180](https://github.com/juanfont/headscale/pull/2180) ## 0.28.0 (2026-02-04)