Files
headscale/hscontrol/types
Ubuntu ea85dcbc14 types: consider subnet routes as source identity in ACL matching
CanAccess and CanAccessRoute only used a node's Tailscale IPs as
source identity when matching ACL rules. A subnet router acting on
behalf of its advertised subnets was invisible to ACLs that reference
subnet CIDRs as source (e.g. src=10.88.8.0/24 dst=10.99.9.0/24).

Extend both functions to also check whether the node's approved
subnet routes overlap the matcher's source set. This makes subnet
routers visible to each other when ACLs reference their subnet CIDRs,
enabling subnet-to-subnet traffic routing.

The new checks are guarded by len(subnetRoutes) > 0, so non-router
nodes (the vast majority) pay zero additional cost.

Fixes #3157
2026-04-02 13:23:23 +00:00
..
2025-02-26 16:22:55 +01:00
2026-02-06 21:45:32 +01:00