mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-09 01:20:21 +09:00
ea85dcbc14
CanAccess and CanAccessRoute only used a node's Tailscale IPs as source identity when matching ACL rules. A subnet router acting on behalf of its advertised subnets was invisible to ACLs that reference subnet CIDRs as source (e.g. src=10.88.8.0/24 dst=10.99.9.0/24). Extend both functions to also check whether the node's approved subnet routes overlap the matcher's source set. This makes subnet routers visible to each other when ACLs reference their subnet CIDRs, enabling subnet-to-subnet traffic routing. The new checks are guarded by len(subnetRoutes) > 0, so non-router nodes (the vast majority) pay zero additional cost. Fixes #3157