Various ACL rules not working #809

madjam002 · 2022-09-15T12:13:53Z

There are various scenarios that I've found where ACL rules are not working in Headscale as expected:

IPv6 addresses or prefixes are not supported in dst (error Could not load the ACL policy error="invalid port format") unless they are in the hosts alias map and an alias is used instead.
dst: *:* (existing bug report - dst:"*:*" not working in ACLs #699)
Using src/dst rules with subnet router CIDRs does not send the subnet router peer itself. A dummy rule e.g subnetrouterip:0 must be defined in the ACLs to make it work.
If a node is tagged with headscale nodes tag, no peers are sent to the node even if the packet filter allows for it. Untagging the node then correctly sends the peers.

Context info

The text was updated successfully, but these errors were encountered:

kradalby · 2023-04-19T17:52:38Z

I have addressed some of these, at least IPv6, I think dst. Would be great if you can try upstream and report back :)

juanfont · 2023-05-10T14:03:16Z

Please reopen if you are still facing issues.

madjam002 added the bug Something isn't working label Sep 15, 2022

kradalby mentioned this issue Dec 16, 2022

ACL testing playground #1069

Closed

kradalby mentioned this issue Apr 14, 2023

Fix IPv6 in ACLs #1339

Merged

juanfont closed this as completed May 10, 2023

paladincorners mentioned this issue Nov 16, 2023

ACLs not working with IPV6 (reopening of #809) #1607

Closed

Provide feedback