ipn,ipn/local: always accept routes for Tailscale Services (cgnat range) (#18173)

Updates #18198 Signed-off-by: chaosinthecrd <tom@tmlabs.co.uk> Co-authored-by: James Tucker <raggi@tailscale.com>
2026-01-14 18:20:00 +00:00
parent e9d82767e5
commit c3b7f24051
4 changed files with 116 additions and 6 deletions
@@ -11,6 +11,7 @@ import (
 	"net/netip"
 	"strings"

+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -33,6 +34,9 @@ func cidrIsSubnet(node tailcfg.NodeView, cidr netip.Prefix) bool {
 	if !cidr.IsSingleIP() {
 		return true
 	}
+	if tsaddr.IsTailscaleIP(cidr.Addr()) {
+		return false
+	}
 	for _, selfCIDR := range node.Addresses().All() {
 		if cidr == selfCIDR {
 			return false