[Bug] ACLs although going one way, are discoverable by the "dst".

[mifraburneo]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I have this users as an example:

As well as this ACL:

So now currently:
Mifra's (admin's) machines are able to see all the network's machines.
BUT
Any user's machines are able to see Mifra's machines as well (aka discover via UI or tailscale status, providing information like IP and if they're up or not) although it seems that they're not able to ping nor ssh, etc.

Expected Behavior

I expect that the only rule in the ACL is considered.
That is, only the admin group members can see and access other machines and not viceversa.

Steps To Reproduce

Create 3 users at least and assign an ACL in the same matter as shown above.

Environment

- OS: Ubuntu 24.4
- Headscale version: 0.22.3
- Tailscale version: indifferent, but 1.64 for example

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

No response

[kradalby]

Hi, this is intended behaviour, if one of two machines can reach each other, they will be visible in each others map (and therefore UI/status). Only nodes that cannot connect to each other at all will be fully removed from the list.

Access should be correctly limited, but they wont be removed from the list, from what I understand, they can see, but not access.