Description
Is this a support request?
- This is not a support request
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
Hi,
v0.26 introduced this feature:
policy: reduce routes sent to peers based on packetfilter #2561
described in this bug report: #2365
Assume the following situation:
Node A (100.123.45.67) is a Router (part of group routers). Network 192.168.1.0/14 is connected to this Router.
Node B (100.123.45.89) is a regular Node.
Policy in place (simplified):
{
"acls": [
{
"action": "accept",
"src": [
"192.168.1.0/24",
"group:routers"
],
"dst": [
"*:*"
]
}
]
}This policy allows traffic from all routers and the network 192.168.1.0/24 to everywhere.
Before v0.26 it was possible to connect (for example ssh) directly from Node A (100.123.45.67) to Node B (100.123.45.89), and also from any machine from the 192.168.1.0/24 network to Node B (100.123.45.89). Connections from Node B to Node A or any machine on 192.168.1.0/24 was restricted though.
With the reduction of routes sent to peers based on packetfilter, the connection from the network 192.168.1.0/24 to Node B (100.123.45.89) does not work any more, since Node B has no route to send the response back to.
So while the policy in place allows said connectivity, it pratically cannot work any more.
Expected Behavior
Established and related connections should be allowed, like it was before 0.26. For this, the routes need to be known to the node.
Steps To Reproduce
Set up per above scenario.
Environment
- OS: Ubuntu 24.04.2 LTS
- Headscale version: 0.26
- Tailscale version:1.82.5Runtime environment
- Headscale is behind a (reverse) proxy
- Headscale runs in a container
Debug information
Happy to provide this if really required, however I believe the description above explains it in sufficient detail.