Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add autogroup:internet, fix reduce filter rules #1917

Merged
merged 3 commits into from
Apr 30, 2024
Merged

add autogroup:internet, fix reduce filter rules #1917

merged 3 commits into from
Apr 30, 2024

Conversation

kradalby
Copy link
Collaborator

@kradalby kradalby commented Apr 29, 2024
edited
Loading

This PR contains two features:

  • autogroup:internet for policy
  • fix of a too aggressive reduction of node specific rules

The majority of lines in this PR is tests based on #1817 and #1786.

Fixes #1817
Fixes #1786
Updates #657

@kradalby
add tests to reproduce juanfont#1786
e0134ea 
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
@kradalby
add autogroup:internet
1561838 
Updates juanfont#657
Updates juanfont#1786

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
@kradalby
more tests and fix
5bb746c 
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
@kradalby kradalby changed the title Improve reduce filter rules add autogroup:internet, fix reduce filter rules Apr 29, 2024
This was referenced Apr 29, 2024
Closed
Closed
@kradalby kradalby marked this pull request as ready for review April 29, 2024 15:17
@kradalby kradalby mentioned this pull request Apr 29, 2024
Closed
juanfont
juanfont approved these changes Apr 29, 2024
View reviewed changes
hscontrol/policy/acls.go

// theInternet returns the IPSet for the Internet.
// https://www.youtube.com/watch?v=iDbyYGrswtg
func theInternet() *netipx.IPSet {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hahahaha

@kradalby kradalby merged commit 87e2ae4 into juanfont:main Apr 30, 2024
101 checks passed
Gurkengewuerz
Gurkengewuerz reviewed May 18, 2024
View reviewed changes
hscontrol/policy/acls.go

// Delete Tailscale networks
internetBuilder.RemovePrefix(netip.MustParsePrefix("fd7a:115c:a1e0::/48"))
internetBuilder.RemovePrefix(netip.MustParsePrefix("100.64.0.0/10"))
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you can define custom ip prefixes is it a good practice to assume the user is using the default tailscale network?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tailscale client does not support other up ranges, so while it is configurable in Headscale you cannot use anything else.

If that changes we could read it from the config.
Happy to take a pr changing it to the config values if you are up for it :)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks to make it clear. didn't knew that and just read through the code and commented with my thoughts. 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gurkengewuerz Gurkengewuerz Gurkengewuerz left review comments

@juanfont juanfont juanfont approved these changes

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

headscale 0.23.0-alpha5 ignores /32 masks in ACLs Reducing filter rules breaks exit node access
3 participants
@kradalby @juanfont @Gurkengewuerz