From 1a5ed2c7ca3103d00aed51b5d1411edebe4ba28c Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Wed, 18 Mar 2026 10:25:58 +0000
Subject: [PATCH] policy/policyutil: update ReduceFilterRules test expectations
 for IPv6

Now that AppendToIPSet includes both IPv4 and IPv6, tests with
nodes that have IPv6 addresses produce additional entries in SrcIPs
and DstPorts. Update the expected values accordingly.

Updates #2180
---
 hscontrol/policy/policyutil/reduce_test.go | 34 ++++++++++++++++++----
 1 file changed, 29 insertions(+), 5 deletions(-)

diff --git a/hscontrol/policy/policyutil/reduce_test.go b/hscontrol/policy/policyutil/reduce_test.go
index d21e3e9d..db0262fc 100644
--- a/hscontrol/policy/policyutil/reduce_test.go
+++ b/hscontrol/policy/policyutil/reduce_test.go
@@ -209,12 +209,17 @@ func TestReduceFilterRules(t *testing.T) {
 				{
 					SrcIPs: []string{
 						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
 					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.1",
 							Ports: tailcfg.PortRangeAny,
 						},
+						{
+							IP:    "fd7a:115c:a1e0::1",
+							Ports: tailcfg.PortRangeAny,
+						},
 						{
 							IP:    "10.33.0.0/16",
 							Ports: tailcfg.PortRangeAny,
@@ -347,7 +352,10 @@ func TestReduceFilterRules(t *testing.T) {
 				// autogroup:internet does NOT generate packet filters - it's handled
 				// by exit node routing via AllowedIPs, not by packet filtering.
 				{
-					SrcIPs: []string{"100.64.0.1-100.64.0.2"},
+					SrcIPs: []string{
+						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
@@ -447,7 +455,10 @@ func TestReduceFilterRules(t *testing.T) {
 			want: []tailcfg.FilterRule{
 				// Merged: Both ACL rules combined (same SrcIPs)
 				{
-					SrcIPs: []string{"100.64.0.1-100.64.0.2"},
+					SrcIPs: []string{
+						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
@@ -549,7 +560,10 @@ func TestReduceFilterRules(t *testing.T) {
 			want: []tailcfg.FilterRule{
 				// Merged: Both ACL rules combined (same SrcIPs)
 				{
-					SrcIPs: []string{"100.64.0.1-100.64.0.2"},
+					SrcIPs: []string{
+						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
@@ -629,7 +643,10 @@ func TestReduceFilterRules(t *testing.T) {
 			want: []tailcfg.FilterRule{
 				// Merged: Both ACL rules combined (same SrcIPs)
 				{
-					SrcIPs: []string{"100.64.0.1-100.64.0.2"},
+					SrcIPs: []string{
+						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
@@ -696,12 +713,19 @@ func TestReduceFilterRules(t *testing.T) {
 			},
 			want: []tailcfg.FilterRule{
 				{
-					SrcIPs: []string{"100.64.0.1"},
+					SrcIPs: []string{
+						"100.64.0.1",
+						"fd7a:115c:a1e0::1",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
 							Ports: tailcfg.PortRangeAny,
 						},
+						{
+							IP:    "fd7a:115c:a1e0::100",
+							Ports: tailcfg.PortRangeAny,
+						},
 						{
 							IP:    "172.16.0.21",
 							Ports: tailcfg.PortRangeAny,