[Feature Request] Support for IP Sets and "Via" in Headscale ACL

[aradng]

Use case

Currently, I have implemented these features manually using complex ipset and iptables configurations on the client side. Native support for these in Headscale ACL would be highly beneficial, particularly for:

• Restricting access to external services that allow only specific whitelisted IPs or regions/countries.
• Enabling conditional routing in high-availability (HA) database and backend environments that are frequently migrating.
• Optimizing client-side routing for improved network performance.

Description

Since Tailscale clients already support custom routing configurations, would it be possible to implement similar functionality within Headscale ACL? Specifically:

• IP Sets: [Tailscale Docs](https://tailscale.com/kb/1387/ipsets)
• "Via" Routing: [Tailscale Docs](https://tailscale.com/kb/1378/via)

Both of these are already available in Tailscale’s control plane ACL grants. Adding them to Headscale ACL would greatly enhance flexibility and ease of use for users managing self-hosted deployments.

Contribution

• I can write the design doc for this feature
• I can contribute this feature

How can it be implemented?

No response

[kradalby]

I have added no stale to this so it sticks around.

I want to managed expectations by saying that currently our ACL implementation part of the policy is severely lacking, which I aim to work on. There are currently no plans in the future to work on implementing grants, that doesnt mean we will not add them, but that there are a lot of other things to work on first (fixing Tags comes to mind and reworking the very hard to maintain routing system, as well as our large backlog of bugs).

I think it would be years before we are able to have the right building blocks in place (working ACLs, then autogroups, fixing routes/exits, then grants) before we can even consider starting on some of this work.

But, we can remain optimistic, open source projects are for the long run.