mirror of
https://github.com/tailscale/tailscale.git
synced 2026-04-03 22:25:27 -04:00
1b451f8bff
peerCapsLocked only checked SelfNode.Addresses() when resolving peer capabilities via filter.CapsWithValues. This meant that ACL grants targeting service VIPs (e.g. dst: ["svc:http"]) would never appear in WhoIs CapMap responses, because service VIP addresses are not included in SelfNode.Addresses() — they are delivered separately via the NodeAttrServiceHost capability and AllowedIPs. This affected both the WhoIs LocalAPI endpoint and the built-in ServiceModeHTTP serve layer (addAppCapabilitiesHeader), since both call PeerCaps which delegates to peerCapsLocked. Fix by also iterating service VIP addresses from ServiceIPMappings (delivered via NodeAttrServiceHost) and merging caps from all matching destination addresses. Updates tailscale/corp#38146 Signed-off-by: Raj Singh <raj@tailscale.com>