ipn/ipnlocal: include service VIP addresses in PeerCaps resolution - tailscale - The easiest, most secure way to use WireGuard and 2FA

diff options

author	Raj Singh <raj@tailscale.com>	2026-03-05 17:45:39 -0800
committer	Raj Singh <raj@tailscale.com>	2026-03-05 18:44:34 -0800
commit	1b451f8bffaf68ef95b2d8d467fa5dcd5e42bc2d (patch)
tree	f4e3f0220033a1505bdc5a93d13d477185578d04 /ssh
parent	8cfbaa717d9670e2d9e356ca989387fe18611419 (diff)
download	tailscale-rajsinghtech/peercaps-service-vips.tar.xz tailscale-rajsinghtech/peercaps-service-vips.zip

ipn/ipnlocal: include service VIP addresses in PeerCaps resolutionrajsinghtech/peercaps-service-vips

peerCapsLocked only checked SelfNode.Addresses() when resolving peer capabilities via filter.CapsWithValues. This meant that ACL grants targeting service VIPs (e.g. dst: ["svc:http"]) would never appear in WhoIs CapMap responses, because service VIP addresses are not included in SelfNode.Addresses() — they are delivered separately via the NodeAttrServiceHost capability and AllowedIPs. This affected both the WhoIs LocalAPI endpoint and the built-in ServiceModeHTTP serve layer (addAppCapabilitiesHeader), since both call PeerCaps which delegates to peerCapsLocked. Fix by also iterating service VIP addresses from ServiceIPMappings (delivered via NodeAttrServiceHost) and merging caps from all matching destination addresses. Updates tailscale/corp#38146 Signed-off-by: Raj Singh <raj@tailscale.com>

Diffstat (limited to 'ssh')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: