policy: surface exit nodes via autogroup:internet (#3212)

compileFilterRules skipped autogroup:internet destinations to keep them out of the wire-format PacketFilter, but those same compiled rules are the source of pm.matchers — and Node.CanAccess relies on a matcher whose DestsIsTheInternet covers the public internet to surface exit-node peers to ACL sources. With the skip in place no such matcher existed, exit nodes silently dropped out of the source's peer list, and the docs' exit-node walkthrough stopped working: `tailscale exit-node list` returned "no exit nodes found" and `tailscale set --exit-node=<ip>` returned "no node found in netmap with IP". Drop the compile-time skip so autogroup:internet flows through normal matcher derivation, and teach ReduceFilterRules to keep the resulting client packet-filter rule on exit-route advertisers — Tailscale SaaS sends those rules to exit nodes so the kernel filter accepts traffic forwarded by autogroup:internet sources. Verified against a live tailnet on 2026-04-28 via tscap; the b17/b18 captures land under testdata/issue_3212/ as a regression guard. The captures are isolated from testdata/routes_results/ because the broader TestRoutesCompat machinery assumes a CIDR-prefix wire format that differs from the IPSet-range form SaaS emits for autogroup:internet — aligning that wire format is tracked separately. Fixes #3212
2026-05-05 03:56:10 +02:00 · 2026-04-28 11:30:58 +00:00 · 2026-04-28 11:30:58 +00:00 · c7a0ca709f
commit c7a0ca709f
parent a7d405a255
8 changed files with 22985 additions and 11 deletions
--- a/hscontrol/policy/policy_test.go
+++ b/hscontrol/policy/policy_test.go
@ -951,11 +951,13 @@ func TestReduceNodesFromPolicy(t *testing.T) {
  ]
 }`,
 			node: n(1, "100.64.0.1", "mobile", "mobile"),
-			// autogroup:internet does not generate packet filters - it's handled
-			// by exit node routing via AllowedIPs, not by packet filtering.
-			// Only server is visible through the mobile -> server:80 rule.
+			// autogroup:internet emits no client packet filter, but it
+			// must still produce a matcher: Node.CanAccess uses
+			// matcher.DestsIsTheInternet() + IsExitNode() to surface
+			// exit-node peers (juanfont/headscale#3212).
 			want: types.Nodes{
 				n(2, "100.64.0.2", "server", "server"),
+				n(3, "100.64.0.3", "exit", "server", "0.0.0.0/0", "::/0"),
 			},
 			wantMatchers: 1,
 		},
--- a/hscontrol/policy/policyutil/reduce.go
+++ b/hscontrol/policy/policyutil/reduce.go
@ -6,6 +6,7 @@ import (

 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
+	"go4.org/netipx"
 	"tailscale.com/tailcfg"
 )

@ -18,6 +19,7 @@ import (
 func ReduceFilterRules(node types.NodeView, rules []tailcfg.FilterRule) []tailcfg.FilterRule {
 	ret := []tailcfg.FilterRule{}
 	subnetRoutes := node.SubnetRoutes()
+	hasExitRoutes := node.IsExitNode()

 	for _, rule := range rules {
 		// Handle CapGrant rules separately — they use CapGrant[].Dsts
@ -56,6 +58,14 @@ func ReduceFilterRules(node types.NodeView, rules []tailcfg.FilterRule) []tailcf
 			// AllowedIPs/routing.
 			if slices.ContainsFunc(subnetRoutes, expanded.OverlapsPrefix) {
 				dests = append(dests, dest)
+				continue
+			}
+
+			// Exit-route advertisers need rules targeting the
+			// public internet so the kernel filter accepts
+			// traffic forwarded by autogroup:internet sources.
+			if hasExitRoutes && ipSetSubsetOf(expanded, util.TheInternet()) {
+				dests = append(dests, dest)
 			}
 		}

@ -71,6 +81,20 @@ func ReduceFilterRules(node types.NodeView, rules []tailcfg.FilterRule) []tailcf
 	return ret
 }

+func ipSetSubsetOf(candidate, container *netipx.IPSet) bool {
+	if candidate == nil || container == nil {
+		return false
+	}
+
+	for _, pref := range candidate.Prefixes() {
+		if !container.ContainsPrefix(pref) {
+			return false
+		}
+	}
+
+	return true
+}
+
 // reduceCapGrantRule filters a CapGrant rule to only include CapGrant
 // entries whose Dsts match the given node's IPs. When a broad prefix
 // (e.g. 100.64.0.0/10 from dst:*) contains a node's IP, it is
--- a/hscontrol/policy/v2/filter.go
+++ b/hscontrol/policy/v2/filter.go
@ -166,12 +166,6 @@ func (pol *Policy) destinationsToNetPortRange(
 			continue
 		}

-		// autogroup:internet does not generate packet filters - it's handled
-		// by exit node routing via AllowedIPs, not by packet filtering.
-		if ag, isAutoGroup := dest.(*AutoGroup); isAutoGroup && ag.Is(AutoGroupInternet) {
-			continue
-		}
-
 		ips, err := dest.Resolve(pol, users, nodes)
 		if err != nil {
 			log.Trace().Caller().Err(err).Msgf("resolving destination ips")
--- a/hscontrol/policy/v2/filter_test.go
+++ b/hscontrol/policy/v2/filter_test.go
@ -4101,6 +4101,14 @@ func TestDestinationsToNetPortRange_AutogroupInternet(t *testing.T) {
 	pol := &Policy{}
 	ports := []tailcfg.PortRange{tailcfg.PortRangeAny}

+	// autogroup:internet must surface as DstPorts (not be skipped at
+	// compile time). The matcher derived from these FilterRules is
+	// what makes Node.CanAccess return true for exit-node peers via
+	// DestsIsTheInternet (#3212). The wire format is currently the
+	// canonical CIDR breakdown of util.TheInternet(); aligning it to
+	// the SaaS range form is tracked separately.
+	internetPrefixCount := len(util.TheInternet().Prefixes())
+
 	tests := []struct {
 		name     string
 		dests    Aliases
@ -4108,9 +4116,9 @@ func TestDestinationsToNetPortRange_AutogroupInternet(t *testing.T) {
 		wantStar bool
 	}{
 		{
-			name:    "autogroup:internet produces no DstPorts",
+			name:    "autogroup:internet produces TheInternet DstPorts",
 			dests:   Aliases{agp(string(AutoGroupInternet))},
-			wantLen: 0,
+			wantLen: internetPrefixCount,
 		},
 		{
 			name:     "wildcard produces DstPorts with star",
--- a/hscontrol/policy/v2/issue_3212_test.go
+++ b/hscontrol/policy/v2/issue_3212_test.go
@ -0,0 +1,172 @@
+// Tests pinned against tscap captures for juanfont/headscale#3212.
+//
+// The captures were taken on 2026-04-28 against a live Tailscale SaaS
+// tailnet. They reproduce the literal #3212 setup: an ACL granting
+// access to autogroup:internet:* combined with autoApprovers.exitNode
+// approving exit routes on tagged exit nodes. SaaS surfaces those exit
+// nodes as peers in the ACL source's netmap with 0.0.0.0/0 and ::/0 in
+// AllowedIPs. Headscale must do the same — that is the user-visible UX
+// driving `tailscale exit-node list`.
+//
+// Captures live under testdata/issue_3212/ rather than testdata/
+// routes_results/ so the broader TestRoutesCompat / *PeerAllowedIPs /
+// *ReduceRoutes machinery does not pull them in. Those tests assume a
+// PacketFilterRules wire format (CIDR prefix per dest entry) that
+// differs from what SaaS emits for autogroup:internet (range form per
+// IPSet range — e.g. "0.0.0.0-9.255.255.255"). Aligning that wire
+// format is tracked separately; the #3212 fix is about peer
+// visibility, not packet-filter encoding.
+
+package v2
+
+import (
+	"path/filepath"
+	"slices"
+	"strings"
+	"testing"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/types/testcapture"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"tailscale.com/net/tsaddr"
+)
+
+// TestIssue3212AutogroupInternetExitVisibility loads the b17/b18
+// SaaS captures and asserts headscale's BuildPeerMap surfaces every
+// exit-route advertiser to every ACL-source node — matching the peer
+// list in the captured netmap.
+//
+// The bug fixed by this PR (#3212) was that headscale skipped
+// autogroup:internet during FilterRule compilation, which silently
+// dropped the matchers that Node.CanAccess reads via DestsIsTheInternet.
+// The captures pin the SaaS-equivalent expectation as a regression
+// guard so the same skip cannot sneak back in unnoticed.
+func TestIssue3212AutogroupInternetExitVisibility(t *testing.T) {
+	t.Parallel()
+
+	files := []string{
+		"routes-b17-autogroup-internet-with-exit-autoapprover",
+		"routes-b18-autogroup-internet-wildcard-src-with-exit-autoapprover",
+	}
+
+	for _, testID := range files {
+		path := filepath.Join(
+			"testdata", "issue_3212", testID+".hujson",
+		)
+		tf := loadRoutesTestFile(t, path)
+
+		t.Run(tf.TestID, func(t *testing.T) {
+			t.Parallel()
+
+			users, nodes := buildRoutesUsersAndNodes(t, tf.Topology)
+			policyJSON := convertPolicyUserEmails(tf.Input.FullPolicy)
+
+			pm, err := NewPolicyManager(
+				policyJSON, users, nodes.ViewSlice(),
+			)
+			require.NoErrorf(t, err,
+				"%s: failed to create PolicyManager", tf.TestID,
+			)
+
+			peerMap := pm.BuildPeerMap(nodes.ViewSlice())
+
+			expected := expectedExitPeerVisibility(t, tf, nodes)
+			require.NotEmptyf(t, expected,
+				"%s: capture exposes no source→exit relationships — "+
+					"the test is meaningless if SaaS itself never "+
+					"surfaced an exit node to a source",
+				tf.TestID,
+			)
+
+			for srcName, exitNames := range expected {
+				srcNode := findNodeByGivenName(nodes, srcName)
+				require.NotNilf(t, srcNode,
+					"%s: src node %q missing from topology",
+					tf.TestID, srcName,
+				)
+
+				peerIDs := make(
+					map[types.NodeID]struct{},
+					len(peerMap[srcNode.ID]),
+				)
+				for _, p := range peerMap[srcNode.ID] {
+					peerIDs[p.ID()] = struct{}{}
+				}
+
+				for _, exitName := range exitNames {
+					exitNode := findNodeByGivenName(nodes, exitName)
+					require.NotNilf(t, exitNode,
+						"%s: exit node %q missing from topology",
+						tf.TestID, exitName,
+					)
+
+					_, found := peerIDs[exitNode.ID]
+					assert.Truef(t, found,
+						"%s: source %q must see exit node %q "+
+							"as a peer via the autogroup:internet "+
+							"ACL — Tailscale SaaS does (#3212)",
+						tf.TestID, srcName, exitName,
+					)
+				}
+			}
+		})
+	}
+}
+
+// expectedExitPeerVisibility extracts (source-node, exit-node) pairs
+// the capture's netmaps witness. A node is treated as an exit-route
+// advertiser when its ApprovedRoutes contain 0.0.0.0/0 or ::/0;
+// a (source, exit) pair is recorded when the source's captured netmap
+// lists the advertiser as a peer with 0.0.0.0/0 or ::/0 in AllowedIPs.
+func expectedExitPeerVisibility(
+	t *testing.T,
+	tf *testcapture.Capture,
+	nodes types.Nodes,
+) map[string][]string {
+	t.Helper()
+
+	v4Exit := tsaddr.AllIPv4()
+	v6Exit := tsaddr.AllIPv6()
+
+	exitAdvertisers := make(map[string]bool)
+
+	for _, n := range nodes {
+		if slices.Contains(n.ApprovedRoutes, v4Exit) ||
+			slices.Contains(n.ApprovedRoutes, v6Exit) {
+			exitAdvertisers[n.GivenName] = true
+		}
+	}
+
+	expected := make(map[string][]string)
+
+	for srcName, capture := range tf.Captures {
+		if capture.Netmap == nil {
+			continue
+		}
+
+		var seen []string
+
+		for _, peer := range capture.Netmap.Peers {
+			peerName := strings.Split(peer.Name(), ".")[0]
+
+			if !exitAdvertisers[peerName] {
+				continue
+			}
+
+			peerAllowed := peer.AllowedIPs().AsSlice()
+			if !slices.Contains(peerAllowed, v4Exit) &&
+				!slices.Contains(peerAllowed, v6Exit) {
+				continue
+			}
+
+			seen = append(seen, peerName)
+		}
+
+		if len(seen) > 0 {
+			expected[srcName] = seen
+		}
+	}
+
+	return expected
+}
--- a/hscontrol/policy/v2/policy_test.go
+++ b/hscontrol/policy/v2/policy_test.go
@ -10,6 +10,7 @@ import (
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 )

@ -1806,3 +1807,50 @@ func TestViaRoutesForPeer(t *testing.T) {
 				"state.RoutesForPeer adds via routes after ReduceRoutes to fix this")
 	})
 }
+
+// TestBuildPeerMap_AutogroupInternetMakesExitNodeVisible reproduces
+// juanfont/headscale#3212. An ACL that grants access only via
+// `autogroup:internet` must keep the exit node visible to the source
+// in BuildPeerMap so the Tailscale client surfaces it in
+// `tailscale exit-node list`. Authoritative SaaS captures
+// (tscap routes-b17/b18, 2026-04-28) confirm SaaS includes the exit
+// node in the source's Peers with 0.0.0.0/0 and ::/0 in AllowedIPs.
+func TestBuildPeerMap_AutogroupInternetMakesExitNodeVisible(t *testing.T) {
+	t.Parallel()
+
+	users := types.Users{
+		{Model: gorm.Model{ID: 1}, Name: "alice", Email: "alice@headscale.net"},
+	}
+
+	aliceNode := node("alice-laptop", "100.64.0.10", "fd7a:115c:a1e0::a", users[0])
+	aliceNode.ID = 1
+
+	exitRoutes := []netip.Prefix{tsaddr.AllIPv4(), tsaddr.AllIPv6()}
+	exitNode := node("alice-exit", "100.64.0.1", "fd7a:115c:a1e0::1", users[0])
+	exitNode.ID = 2
+	exitNode.Hostinfo = &tailcfg.Hostinfo{RoutableIPs: exitRoutes}
+	exitNode.ApprovedRoutes = exitRoutes
+
+	nodes := types.Nodes{aliceNode, exitNode}
+
+	policy := `{
+		"acls": [
+			{"action": "accept", "src": ["alice@headscale.net"], "dst": ["autogroup:internet:*"]}
+		]
+	}`
+
+	pm, err := NewPolicyManager([]byte(policy), users, nodes.ViewSlice())
+	require.NoError(t, err)
+
+	peerMap := pm.BuildPeerMap(nodes.ViewSlice())
+
+	require.True(t,
+		slices.ContainsFunc(peerMap[aliceNode.ID], func(n types.NodeView) bool {
+			return n.ID() == exitNode.ID
+		}),
+		"alice should see the exit node as a peer when an ACL grants autogroup:internet (#3212)")
+
+	_, matchers := pm.Filter()
+	require.True(t, aliceNode.View().CanAccess(matchers, exitNode.View()),
+		"alice.CanAccess(exit) should be true via DestsIsTheInternet()+IsExitNode() (#3212)")
+}
--- a/hscontrol/policy/v2/testdata/issue_3212/routes-b17-autogroup-internet-with-exit-autoapprover.hujson
+++ b/hscontrol/policy/v2/testdata/issue_3212/routes-b17-autogroup-internet-with-exit-autoapprover.hujson
--- a/hscontrol/policy/v2/testdata/issue_3212/routes-b18-autogroup-internet-wildcard-src-with-exit-autoapprover.hujson
+++ b/hscontrol/policy/v2/testdata/issue_3212/routes-b18-autogroup-internet-wildcard-src-with-exit-autoapprover.hujson