Fix prefix length comparison bug in AutoApprovers route evaluation (j…

…uanfont#862)

CHANGELOG.md

@@ -19,6 +19,7 @@
 - Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767)
 - Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763)
 - Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829)
+- Fix prefix length comparison bug in AutoApprovers route evaluation [#862](https://github.com/juanfont/headscale/pull/862)
 - Random node DNS suffix only applied if names collide in namespace. [#766](https://github.com/juanfont/headscale/issues/766)
 - Remove `ip_prefix` configuration option and warning [#899](https://github.com/juanfont/headscale/pull/899)
 - Add `dns_config.override_local_dns` option [#905](https://github.com/juanfont/headscale/pull/905)

acls_types.go

@@ -125,7 +125,7 @@ func (autoApprovers *AutoApprovers) GetRouteApprovers(
 			return nil, err
 		}
 
-		if autoApprovedPrefix.Bits() >= prefix.Bits() &&
+		if prefix.Bits() >= autoApprovedPrefix.Bits() &&
 			autoApprovedPrefix.Contains(prefix.Masked().Addr()) {
 			approverAliases = append(approverAliases, autoApproverAliases...)
 		}

machine_test.go

@@ -1132,7 +1132,8 @@ func (s *Suite) TestAutoApproveRoutes(c *check.C) {
 
 	defaultRoute := netip.MustParsePrefix("0.0.0.0/0")
 	route1 := netip.MustParsePrefix("10.10.0.0/16")
-	route2 := netip.MustParsePrefix("10.11.0.0/16")
+	// Check if a subprefix of an autoapproved route is approved
+	route2 := netip.MustParsePrefix("10.11.0.0/24")
 
 	machine := Machine{
 		ID:             0,