From 91aac1ceb2dc94db9fe768575260ca3df8cf54ca Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Tue, 17 Mar 2026 16:32:41 +0000 Subject: [PATCH] hscontrol/policy/v2: replace routes golden data with Tailscale SaaS captures Replace the headscale-adapted routes golden files with authoritative captures from Tailscale SaaS using the 12-node topology (8 original grant nodes + 4 new route-specific nodes: ha-router1, ha-router2, big-router, multi-router). The golden data was captured via debug-packet-filter-rules from all 12 nodes. The routes driver now falls back to the standard 3-user setup when topology.users is absent (matching the SaaS capture format) and converts @passkey/@dalby.cc emails to @example.com. 92 test cases captured, all valid JSON, all from Tailscale SaaS. Updates #2180 --- .../v2/tailscale_routes_data_compat_test.go | 30 +- ...ildcard_acl_includes_routes_in_srcips.json | 285 ------------ ...UTES-A2_tag_based_acl_excludes_routes.json | 202 --------- ...S-A3_explicit_subnet_filter_to_router.json | 180 -------- ...ROUTES-A3b_autogroup_member_to_subnet.json | 152 ------- ...ROUTES-A4_multiple_routes_same_router.json | 152 ------- .../ROUTES-A5_host_alias_to_subnet.json | 152 ------- ...-B10_exit_routes_not_in_primaryroutes.json | 124 ----- .../ROUTES-B1_exit_routes_not_in_srcips.json | 124 ----- ...UTES-B2_tag_exit_excludes_exit_routes.json | 232 ---------- ...ROUTES-B3_exit_node_advertises_routes.json | 124 ----- ...-B4_multi_router_has_both_route_types.json | 173 ------- .../ROUTES-B5_exit_with_wildcard_dst.json | 124 ----- .../ROUTES-B6_exit_node_option_field.json | 171 ------- .../ROUTES-B7_multiple_exit_nodes.json | 153 ------- ...UTES-B8_autogroup_internet_no_filters.json | 152 ------- .../ROUTES-B9_exit_routes_in_allowedips.json | 124 ----- .../ROUTES-D10_auto_approval_retroactive.json | 208 --------- ...ROUTES-D11_overlapping_auto_approvers.json | 208 --------- .../ROUTES-D1_basic_route_auto_approval.json | 208 --------- .../ROUTES-D2_nested_prefix_approval.json | 208 --------- .../ROUTES-D3_exact_prefix_approval.json | 208 --------- .../ROUTES-D4_prefix_not_covered.json | 208 --------- .../ROUTES-D5_wrong_tag_not_approved.json | 236 ---------- .../ROUTES-D6_exit_node_auto_approval.json | 142 ------ ...OUTES-D7_exit_auto_approval_wrong_tag.json | 147 ------ ...UTES-D8_auto_approval_acl_interaction.json | 236 ---------- ...9_auto_approval_triggers_on_advertise.json | 208 --------- .../ROUTES-E1_ha_two_routers_same_subnet.json | 180 -------- .../ROUTES-E2_ha_primary_in_allowedips.json | 131 ------ ...3_ha_secondary_no_route_in_allowedips.json | 131 ------ ...TES-E4_ha_both_get_filters_host_alias.json | 152 ------- ...ROUTES-E5_first_advertiser_is_primary.json | 180 -------- ...S-F1_filter_on_destination_not_source.json | 194 -------- .../ROUTES-F2_subnet_as_acl_source.json | 299 ------------ .../ROUTES-F3_wildcard_src_specific_dst.json | 180 -------- .../ROUTES-F4_specific_src_wildcard_dst.json | 173 ------- ...ROUTES-F5_bidirectional_subnet_access.json | 248 ---------- .../ROUTES-F6_filter_srcips_expansion.json | 194 -------- ...TES-F7_filter_dstports_shows_acl_cidr.json | 180 -------- .../ROUTES-F8_route_enabled_acl_denies.json | 152 ------- .../ROUTES-F9_route_disabled_acl_allows.json | 152 ------- .../ROUTES-G1_port_restriction_subnet.json | 152 ------- .../ROUTES-G2_port_range_subnet.json | 137 ------ .../ROUTES-G3_multiple_ports_subnet.json | 152 ------- .../ROUTES-G4_protocol_icmp_subnet.json | 209 --------- .../ROUTES-G5_protocol_tcp_only.json | 209 --------- .../ROUTES-G6_protocol_udp_only.json | 209 --------- .../ROUTES-G7_all_ports_wildcard.json | 137 ------ .../ROUTES-G8_default_ipproto.json | 131 ------ .../ROUTES-H10_very_small_prefix.json | 180 -------- .../ROUTES-H11_ipv6_small_prefix.json | 180 -------- .../ROUTES-H1_wildcard_srcips_format.json | 157 ------- .../ROUTES-H2_wildcard_dstports_format.json | 173 ------- .../ROUTES-H3_cgnat_range_expansion.json | 201 -------- .../ROUTES-H4_ipv6_range_in_srcips.json | 166 ------- .../ROUTES-H5_subnet_overlaps_cgnat.json | 180 -------- ...ES-H6_loopback_routes_not_distributed.json | 180 -------- .../ROUTES-H7_two_nodes_same_subnet.json | 180 -------- .../ROUTES-H8_cgnat_overlap_blocked.json | 152 ------- .../ROUTES-H9_large_prefix_works.json | 173 ------- .../ROUTES-I1_ipv6_subnet_route.json | 104 ----- .../ROUTES-I2_ipv6_exit_route.json | 142 ------ .../ROUTES-I3_ipv6_in_wildcard_srcips.json | 195 -------- .../ROUTES-I4_ipv6_specific_acl.json | 132 ------ .../ROUTES-I5_ipv6_parent_child_routes.json | 118 ----- .../ROUTES-I6_dual_stack_node.json | 185 -------- .../ROUTES-I7_ipv6_exit_coverage.json | 104 ----- ...UTES-O10_acl_dest_covered_by_multiple.json | 152 ------- .../ROUTES-O11_acl_dest_not_covered.json | 152 ------- .../ROUTES-O12_filter_dest_is_acl_cidr.json | 152 ------- ...UTES-O1_overlapping_routes_not_merged.json | 152 ------- .../ROUTES-O2_ha_routers_both_get_filter.json | 152 ------- ...OUTES-O3_parent_child_different_nodes.json | 152 ------- .../ROUTES-O4_three_way_hierarchy.json | 152 ------- ...TES-O5_sibling_routes_with_parent_acl.json | 152 ------- ...TES-O6_exit_route_expands_filter_dist.json | 180 -------- .../ROUTES-O7_specific_ip_targeting.json | 152 ------- ...OUTES-O8_same_node_overlapping_routes.json | 208 --------- .../ROUTES-O9_different_nodes_same_route.json | 236 ---------- .../ROUTES-R1_exit_covers_external_dest.json | 180 -------- ...TES-R2_parent_route_covers_child_dest.json | 152 ------- .../ROUTES-R3_sibling_routes_no_coverage.json | 152 ------- .../ROUTES-R4_exact_match_route.json | 152 ------- .../ROUTES-R5_route_coverage_check_logic.json | 152 ------- .../ROUTES-R6_ipv6_route_coverage.json | 152 ------- .../ROUTES-R7_exit_ipv6_coverage.json | 180 -------- .../ROUTES-R8_mixed_ipv4_ipv6_coverage.json | 152 ------- ...TES-T1_tags_resolve_to_ips_not_routes.json | 152 ------- .../ROUTES-T2_tag_to_tag_with_exit.json | 232 ---------- ...ROUTES-T3_tag_src_includes_all_tagged.json | 165 ------- ...ROUTES-T4_tag_dst_includes_all_tagged.json | 152 ------- .../ROUTES-T5_multi_tag_node_in_both.json | 236 ---------- ...ildcard_acl_includes_routes_in_srcips.json | 414 +++++++++++++++++ ...UTES-a2_tag_based_acl_excludes_routes.json | 243 ++++++++++ ...S-a3_explicit_subnet_filter_to_router.json | 204 +++++++++ ...ROUTES-a3b_autogroup_member_to_subnet.json | 202 +++++++++ ...ROUTES-a4_multiple_routes_same_router.json | 183 ++++++++ .../ROUTES-a5_host_alias_to_subnet.json | 204 +++++++++ ...-b10_exit_routes_not_in_primaryroutes.json | 414 +++++++++++++++++ .../ROUTES-b1_exit_routes_not_in_srcips.json | 414 +++++++++++++++++ ...UTES-b2_tag_exit_excludes_exit_routes.json | 202 +++++++++ ...ROUTES-b3_exit_node_advertises_routes.json | 414 +++++++++++++++++ ...-b4_multi_router_has_both_route_types.json | 414 +++++++++++++++++ .../ROUTES-b5_exit_with_wildcard_dst.json | 414 +++++++++++++++++ .../ROUTES-b6_exit_node_option_field.json | 318 +++++++++++++ .../ROUTES-b7_multiple_exit_nodes.json | 318 +++++++++++++ ...UTES-b8_autogroup_internet_no_filters.json | 162 +++++++ .../ROUTES-b9_exit_routes_in_allowedips.json | 414 +++++++++++++++++ .../ROUTES-d10_auto_approval_retroactive.json | 204 +++++++++ ...ROUTES-d11_overlapping_auto_approvers.json | 204 +++++++++ .../ROUTES-d1_basic_route_auto_approval.json | 204 +++++++++ .../ROUTES-d2_nested_prefix_approval.json | 204 +++++++++ .../ROUTES-d3_exact_prefix_approval.json | 204 +++++++++ .../ROUTES-d4_prefix_not_covered.json | 204 +++++++++ .../ROUTES-d5_wrong_tag_not_approved.json | 202 +++++++++ .../ROUTES-d6_exit_node_auto_approval.json | 414 +++++++++++++++++ ...OUTES-d7_exit_auto_approval_wrong_tag.json | 318 +++++++++++++ ...UTES-d8_auto_approval_acl_interaction.json | 202 +++++++++ ...9_auto_approval_triggers_on_advertise.json | 204 +++++++++ .../ROUTES-e1_ha_two_routers_same_subnet.json | 204 +++++++++ .../ROUTES-e2_ha_primary_in_allowedips.json | 204 +++++++++ ...3_ha_secondary_no_route_in_allowedips.json | 204 +++++++++ ...TES-e4_ha_both_get_filters_host_alias.json | 204 +++++++++ ...ROUTES-e5_first_advertiser_is_primary.json | 204 +++++++++ ...S-f1_filter_on_destination_not_source.json | 202 +++++++++ .../ROUTES-f2_subnet_as_acl_source.json | 222 +++++++++ .../ROUTES-f3_wildcard_src_specific_dst.json | 204 +++++++++ .../ROUTES-f4_specific_src_wildcard_dst.json | 402 ++++++++++++++++ ...ROUTES-f5_bidirectional_subnet_access.json | 267 +++++++++++ .../ROUTES-f6_filter_srcips_expansion.json | 202 +++++++++ ...TES-f7_filter_dstports_shows_acl_cidr.json | 204 +++++++++ .../ROUTES-f8_route_enabled_acl_denies.json | 162 +++++++ .../ROUTES-f9_route_disabled_acl_allows.json | 183 ++++++++ .../ROUTES-g1_port_restriction_subnet.json | 202 +++++++++ .../ROUTES-g2_port_range_subnet.json | 204 +++++++++ .../ROUTES-g3_multiple_ports_subnet.json | 232 ++++++++++ .../ROUTES-g4_protocol_icmp_subnet.json | 207 +++++++++ .../ROUTES-g5_protocol_tcp_only.json | 207 +++++++++ .../ROUTES-g6_protocol_udp_only.json | 207 +++++++++ .../ROUTES-g7_all_ports_wildcard.json | 202 +++++++++ .../ROUTES-g8_default_ipproto.json | 204 +++++++++ .../ROUTES-h10_very_small_prefix.json | 204 +++++++++ .../ROUTES-h11_ipv6_small_prefix.json | 162 +++++++ .../ROUTES-h1_wildcard_srcips_format.json | 246 ++++++++++ .../ROUTES-h2_wildcard_dstports_format.json | 402 ++++++++++++++++ .../ROUTES-h3_cgnat_range_expansion.json | 246 ++++++++++ .../ROUTES-h4_ipv6_range_in_srcips.json | 414 +++++++++++++++++ .../ROUTES-h5_subnet_overlaps_cgnat.json | 162 +++++++ ...ES-h6_loopback_routes_not_distributed.json | 162 +++++++ .../ROUTES-h7_two_nodes_same_subnet.json | 204 +++++++++ .../ROUTES-h8_cgnat_overlap_blocked.json | 162 +++++++ .../ROUTES-h9_large_prefix_works.json | 202 +++++++++ .../ROUTES-i1_ipv6_subnet_route.json | 414 +++++++++++++++++ .../ROUTES-i2_ipv6_exit_route.json | 414 +++++++++++++++++ .../ROUTES-i3_ipv6_in_wildcard_srcips.json | 246 ++++++++++ .../ROUTES-i4_ipv6_specific_acl.json | 162 +++++++ .../ROUTES-i5_ipv6_parent_child_routes.json | 162 +++++++ .../ROUTES-i6_dual_stack_node.json | 209 +++++++++ .../ROUTES-i7_ipv6_exit_coverage.json | 162 +++++++ ...UTES-o10_acl_dest_covered_by_multiple.json | 204 +++++++++ .../ROUTES-o11_acl_dest_not_covered.json | 162 +++++++ .../ROUTES-o12_filter_dest_is_acl_cidr.json | 204 +++++++++ ...UTES-o1_overlapping_routes_not_merged.json | 414 +++++++++++++++++ .../ROUTES-o2_ha_routers_both_get_filter.json | 204 +++++++++ ...OUTES-o3_parent_child_different_nodes.json | 204 +++++++++ .../ROUTES-o4_three_way_hierarchy.json | 204 +++++++++ ...TES-o5_sibling_routes_with_parent_acl.json | 204 +++++++++ ...TES-o6_exit_route_expands_filter_dist.json | 162 +++++++ .../ROUTES-o7_specific_ip_targeting.json | 204 +++++++++ ...OUTES-o8_same_node_overlapping_routes.json | 204 +++++++++ .../ROUTES-o9_different_nodes_same_route.json | 202 +++++++++ .../ROUTES-r1_exit_covers_external_dest.json | 162 +++++++ ...TES-r2_parent_route_covers_child_dest.json | 204 +++++++++ .../ROUTES-r3_sibling_routes_no_coverage.json | 183 ++++++++ .../ROUTES-r4_exact_match_route.json | 204 +++++++++ .../ROUTES-r5_route_coverage_check_logic.json | 204 +++++++++ .../ROUTES-r6_ipv6_route_coverage.json | 162 +++++++ .../ROUTES-r7_exit_ipv6_coverage.json | 162 +++++++ .../ROUTES-r8_mixed_ipv4_ipv6_coverage.json | 428 ++++++++++++++++++ ...TES-t1_tags_resolve_to_ips_not_routes.json | 243 ++++++++++ .../ROUTES-t2_tag_to_tag_with_exit.json | 202 +++++++++ ...ROUTES-t3_tag_src_includes_all_tagged.json | 402 ++++++++++++++++ ...ROUTES-t4_tag_dst_includes_all_tagged.json | 218 +++++++++ .../ROUTES-t5_multi_tag_node_in_both.json | 216 +++++++++ 185 files changed, 22150 insertions(+), 15834 deletions(-) delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-A1_wildcard_acl_includes_routes_in_srcips.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-A2_tag_based_acl_excludes_routes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-A3_explicit_subnet_filter_to_router.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-A3b_autogroup_member_to_subnet.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-A4_multiple_routes_same_router.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-A5_host_alias_to_subnet.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B10_exit_routes_not_in_primaryroutes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B1_exit_routes_not_in_srcips.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B2_tag_exit_excludes_exit_routes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B3_exit_node_advertises_routes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B4_multi_router_has_both_route_types.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B5_exit_with_wildcard_dst.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B6_exit_node_option_field.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B7_multiple_exit_nodes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B8_autogroup_internet_no_filters.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-B9_exit_routes_in_allowedips.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D10_auto_approval_retroactive.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D11_overlapping_auto_approvers.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D1_basic_route_auto_approval.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D2_nested_prefix_approval.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D3_exact_prefix_approval.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D4_prefix_not_covered.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D5_wrong_tag_not_approved.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D6_exit_node_auto_approval.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D7_exit_auto_approval_wrong_tag.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D8_auto_approval_acl_interaction.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-D9_auto_approval_triggers_on_advertise.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-E1_ha_two_routers_same_subnet.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-E2_ha_primary_in_allowedips.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-E3_ha_secondary_no_route_in_allowedips.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-E4_ha_both_get_filters_host_alias.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-E5_first_advertiser_is_primary.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F1_filter_on_destination_not_source.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F2_subnet_as_acl_source.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F3_wildcard_src_specific_dst.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F4_specific_src_wildcard_dst.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F5_bidirectional_subnet_access.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F6_filter_srcips_expansion.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F7_filter_dstports_shows_acl_cidr.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F8_route_enabled_acl_denies.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-F9_route_disabled_acl_allows.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-G1_port_restriction_subnet.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-G2_port_range_subnet.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-G3_multiple_ports_subnet.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-G4_protocol_icmp_subnet.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-G5_protocol_tcp_only.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-G6_protocol_udp_only.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-G7_all_ports_wildcard.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-G8_default_ipproto.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H10_very_small_prefix.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H11_ipv6_small_prefix.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H1_wildcard_srcips_format.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H2_wildcard_dstports_format.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H3_cgnat_range_expansion.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H4_ipv6_range_in_srcips.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H5_subnet_overlaps_cgnat.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H6_loopback_routes_not_distributed.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H7_two_nodes_same_subnet.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H8_cgnat_overlap_blocked.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-H9_large_prefix_works.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-I1_ipv6_subnet_route.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-I2_ipv6_exit_route.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-I3_ipv6_in_wildcard_srcips.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-I4_ipv6_specific_acl.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-I5_ipv6_parent_child_routes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-I6_dual_stack_node.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-I7_ipv6_exit_coverage.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O10_acl_dest_covered_by_multiple.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O11_acl_dest_not_covered.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O12_filter_dest_is_acl_cidr.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O1_overlapping_routes_not_merged.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O2_ha_routers_both_get_filter.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O3_parent_child_different_nodes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O4_three_way_hierarchy.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O5_sibling_routes_with_parent_acl.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O6_exit_route_expands_filter_dist.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O7_specific_ip_targeting.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O8_same_node_overlapping_routes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-O9_different_nodes_same_route.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-R1_exit_covers_external_dest.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-R2_parent_route_covers_child_dest.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-R3_sibling_routes_no_coverage.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-R4_exact_match_route.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-R5_route_coverage_check_logic.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-R6_ipv6_route_coverage.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-R7_exit_ipv6_coverage.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-R8_mixed_ipv4_ipv6_coverage.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-T1_tags_resolve_to_ips_not_routes.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-T2_tag_to_tag_with_exit.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-T3_tag_src_includes_all_tagged.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-T4_tag_dst_includes_all_tagged.json delete mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-T5_multi_tag_node_in_both.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-a1_wildcard_acl_includes_routes_in_srcips.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-a2_tag_based_acl_excludes_routes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-a3_explicit_subnet_filter_to_router.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-a3b_autogroup_member_to_subnet.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-a4_multiple_routes_same_router.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-a5_host_alias_to_subnet.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b10_exit_routes_not_in_primaryroutes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b1_exit_routes_not_in_srcips.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b2_tag_exit_excludes_exit_routes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b3_exit_node_advertises_routes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b4_multi_router_has_both_route_types.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b5_exit_with_wildcard_dst.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b6_exit_node_option_field.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b7_multiple_exit_nodes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b8_autogroup_internet_no_filters.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-b9_exit_routes_in_allowedips.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d10_auto_approval_retroactive.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d11_overlapping_auto_approvers.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d1_basic_route_auto_approval.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d2_nested_prefix_approval.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d3_exact_prefix_approval.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d4_prefix_not_covered.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d5_wrong_tag_not_approved.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d6_exit_node_auto_approval.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d7_exit_auto_approval_wrong_tag.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d8_auto_approval_acl_interaction.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-d9_auto_approval_triggers_on_advertise.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-e1_ha_two_routers_same_subnet.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-e2_ha_primary_in_allowedips.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-e3_ha_secondary_no_route_in_allowedips.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-e4_ha_both_get_filters_host_alias.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-e5_first_advertiser_is_primary.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f1_filter_on_destination_not_source.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f2_subnet_as_acl_source.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f3_wildcard_src_specific_dst.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f4_specific_src_wildcard_dst.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f5_bidirectional_subnet_access.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f6_filter_srcips_expansion.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f7_filter_dstports_shows_acl_cidr.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f8_route_enabled_acl_denies.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-f9_route_disabled_acl_allows.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-g1_port_restriction_subnet.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-g2_port_range_subnet.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-g3_multiple_ports_subnet.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-g4_protocol_icmp_subnet.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-g5_protocol_tcp_only.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-g6_protocol_udp_only.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-g7_all_ports_wildcard.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-g8_default_ipproto.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h10_very_small_prefix.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h11_ipv6_small_prefix.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h1_wildcard_srcips_format.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h2_wildcard_dstports_format.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h3_cgnat_range_expansion.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h4_ipv6_range_in_srcips.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h5_subnet_overlaps_cgnat.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h6_loopback_routes_not_distributed.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h7_two_nodes_same_subnet.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h8_cgnat_overlap_blocked.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-h9_large_prefix_works.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-i1_ipv6_subnet_route.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-i2_ipv6_exit_route.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-i3_ipv6_in_wildcard_srcips.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-i4_ipv6_specific_acl.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-i5_ipv6_parent_child_routes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-i6_dual_stack_node.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-i7_ipv6_exit_coverage.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o10_acl_dest_covered_by_multiple.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o11_acl_dest_not_covered.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o12_filter_dest_is_acl_cidr.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o1_overlapping_routes_not_merged.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o2_ha_routers_both_get_filter.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o3_parent_child_different_nodes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o4_three_way_hierarchy.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o5_sibling_routes_with_parent_acl.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o6_exit_route_expands_filter_dist.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o7_specific_ip_targeting.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o8_same_node_overlapping_routes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-o9_different_nodes_same_route.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-r1_exit_covers_external_dest.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-r2_parent_route_covers_child_dest.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-r3_sibling_routes_no_coverage.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-r4_exact_match_route.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-r5_route_coverage_check_logic.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-r6_ipv6_route_coverage.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-r7_exit_ipv6_coverage.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-r8_mixed_ipv4_ipv6_coverage.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-t1_tags_resolve_to_ips_not_routes.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-t2_tag_to_tag_with_exit.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-t3_tag_src_includes_all_tagged.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-t4_tag_dst_includes_all_tagged.json create mode 100644 hscontrol/policy/v2/testdata/routes_results/ROUTES-t5_multi_tag_node_in_both.json diff --git a/hscontrol/policy/v2/tailscale_routes_data_compat_test.go b/hscontrol/policy/v2/tailscale_routes_data_compat_test.go index 2cd6e07d..ec37d9a7 100644 --- a/hscontrol/policy/v2/tailscale_routes_data_compat_test.go +++ b/hscontrol/policy/v2/tailscale_routes_data_compat_test.go @@ -88,13 +88,24 @@ func buildRoutesUsersAndNodes( ) (types.Users, types.Nodes) { t.Helper() - // Build users - users := make(types.Users, 0, len(topo.Users)) - for _, u := range topo.Users { - users = append(users, types.User{ - Model: gorm.Model{ID: u.ID}, - Name: u.Name, - }) + // Build users — if topology has users section, use it. + // Otherwise fall back to the standard 3-user setup matching + // the grant topology (used by Tailscale SaaS captures). + var users types.Users + if len(topo.Users) > 0 { + users = make(types.Users, 0, len(topo.Users)) + for _, u := range topo.Users { + users = append(users, types.User{ + Model: gorm.Model{ID: u.ID}, + Name: u.Name, + }) + } + } else { + users = types.Users{ + {Model: gorm.Model{ID: 1}, Name: "kratail2tid", Email: "kratail2tid@example.com"}, + {Model: gorm.Model{ID: 2}, Name: "kristoffer", Email: "kristoffer@example.com"}, + {Model: gorm.Model{ID: 3}, Name: "monitorpasskeykradalby", Email: "monitorpasskeykradalby@example.com"}, + } } // Build nodes @@ -206,8 +217,11 @@ func TestRoutesCompat(t *testing.T) { // Build topology from JSON users, nodes := buildRoutesUsersAndNodes(t, tf.Topology) + // Convert Tailscale SaaS user emails to headscale format + policyJSON := convertPolicyUserEmails(tf.Input.FullPolicy) + // Parse and validate policy - pol, err := unmarshalPolicy(tf.Input.FullPolicy) + pol, err := unmarshalPolicy(policyJSON) require.NoError( t, err, diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A1_wildcard_acl_includes_routes_in_srcips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-A1_wildcard_acl_includes_routes_in_srcips.json deleted file mode 100644 index c11add20..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A1_wildcard_acl_includes_routes_in_srcips.json +++ /dev/null @@ -1,285 +0,0 @@ -{ - "test_id": "ROUTES-A1_wildcard_acl_includes_routes_in_srcips", - "source": "headscale_adapted", - "parent_test": "SubnetBasics", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.64.0.0/10", - "fd7a:115c:a1e0::/48", - "10.0.0.0/8", - "10.33.0.0/16", - "172.16.0.0/24", - "192.168.1.0/24" - ], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "client2": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router2": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "user1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A2_tag_based_acl_excludes_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-A2_tag_based_acl_excludes_routes.json deleted file mode 100644 index 7d76427d..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A2_tag_based_acl_excludes_routes.json +++ /dev/null @@ -1,202 +0,0 @@ -{ - "test_id": "ROUTES-A2_tag_based_acl_excludes_routes", - "source": "headscale_adapted", - "parent_test": "SubnetBasics", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:router"], - "dst": ["tag:router:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.100.100.1/32", - "100.119.139.79/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::4001:8ba0/128", - "fd7a:115c:a1e0::6401:6401/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "100.100.100.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.119.139.79/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::4001:8ba0/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::6401:6401/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A3_explicit_subnet_filter_to_router.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-A3_explicit_subnet_filter_to_router.json deleted file mode 100644 index 24a85a90..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A3_explicit_subnet_filter_to_router.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-A3_explicit_subnet_filter_to_router", - "source": "headscale_adapted", - "parent_test": "SubnetBasics", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A3b_autogroup_member_to_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-A3b_autogroup_member_to_subnet.json deleted file mode 100644 index 73d48c33..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A3b_autogroup_member_to_subnet.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-A3b_autogroup_member_to_subnet", - "source": "headscale_adapted", - "parent_test": "SubnetBasics", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["10.33.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A4_multiple_routes_same_router.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-A4_multiple_routes_same_router.json deleted file mode 100644 index 909b21e2..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A4_multiple_routes_same_router.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-A4_multiple_routes_same_router", - "source": "headscale_adapted", - "parent_test": "SubnetBasics", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["172.16.0.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A5_host_alias_to_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-A5_host_alias_to_subnet.json deleted file mode 100644 index 800748f8..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-A5_host_alias_to_subnet.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-A5_host_alias_to_subnet", - "source": "headscale_adapted", - "parent_test": "SubnetBasics", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["internal:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B10_exit_routes_not_in_primaryroutes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B10_exit_routes_not_in_primaryroutes.json deleted file mode 100644 index 0c8a5c1d..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B10_exit_routes_not_in_primaryroutes.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "test_id": "ROUTES-B10_exit_routes_not_in_primaryroutes", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": {} -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B1_exit_routes_not_in_srcips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B1_exit_routes_not_in_srcips.json deleted file mode 100644 index 2ee117ae..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B1_exit_routes_not_in_srcips.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "test_id": "ROUTES-B1_exit_routes_not_in_srcips", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": {} -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B2_tag_exit_excludes_exit_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B2_tag_exit_excludes_exit_routes.json deleted file mode 100644 index 1d2c6db2..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B2_tag_exit_excludes_exit_routes.json +++ /dev/null @@ -1,232 +0,0 @@ -{ - "test_id": "ROUTES-B2_tag_exit_excludes_exit_routes", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:exit"], - "dst": ["tag:exit:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.121.32.1/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::7f01:2004/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "100.121.32.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::7f01:2004/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.121.32.1/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::7f01:2004/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "100.121.32.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::7f01:2004/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B3_exit_node_advertises_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B3_exit_node_advertises_routes.json deleted file mode 100644 index 828962ed..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B3_exit_node_advertises_routes.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "test_id": "ROUTES-B3_exit_node_advertises_routes", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": {} -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B4_multi_router_has_both_route_types.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B4_multi_router_has_both_route_types.json deleted file mode 100644 index bd8da9af..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B4_multi_router_has_both_route_types.json +++ /dev/null @@ -1,173 +0,0 @@ -{ - "test_id": "ROUTES-B4_multi_router_has_both_route_types", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "100.64.0.0/10", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::/48", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B5_exit_with_wildcard_dst.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B5_exit_with_wildcard_dst.json deleted file mode 100644 index 3fe3ddd4..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B5_exit_with_wildcard_dst.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "test_id": "ROUTES-B5_exit_with_wildcard_dst", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": {} -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B6_exit_node_option_field.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B6_exit_node_option_field.json deleted file mode 100644 index 075d11d8..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B6_exit_node_option_field.json +++ /dev/null @@ -1,171 +0,0 @@ -{ - "test_id": "ROUTES-B6_exit_node_option_field", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:exit"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.121.32.1/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::7f01:2004/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B7_multiple_exit_nodes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B7_multiple_exit_nodes.json deleted file mode 100644 index e46800bc..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B7_multiple_exit_nodes.json +++ /dev/null @@ -1,153 +0,0 @@ -{ - "test_id": "ROUTES-B7_multiple_exit_nodes", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:exit"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.121.32.1/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::7f01:2004/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B8_autogroup_internet_no_filters.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B8_autogroup_internet_no_filters.json deleted file mode 100644 index 10f18973..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B8_autogroup_internet_no_filters.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-B8_autogroup_internet_no_filters", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["autogroup:internet:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B9_exit_routes_in_allowedips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-B9_exit_routes_in_allowedips.json deleted file mode 100644 index 43408a16..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-B9_exit_routes_in_allowedips.json +++ /dev/null @@ -1,124 +0,0 @@ -{ - "test_id": "ROUTES-B9_exit_routes_in_allowedips", - "source": "headscale_adapted", - "parent_test": "ExitNodes", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": {} -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D10_auto_approval_retroactive.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D10_auto_approval_retroactive.json deleted file mode 100644 index d08b52d0..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D10_auto_approval_retroactive.json +++ /dev/null @@ -1,208 +0,0 @@ -{ - "test_id": "ROUTES-D10_auto_approval_retroactive", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:443"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D11_overlapping_auto_approvers.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D11_overlapping_auto_approvers.json deleted file mode 100644 index 5cb9b49b..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D11_overlapping_auto_approvers.json +++ /dev/null @@ -1,208 +0,0 @@ -{ - "test_id": "ROUTES-D11_overlapping_auto_approvers", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.0.0.0/8:80"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.0.0.0/8", - "Ports": { - "First": 80, - "Last": 80 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.0.0.0/8", - "Ports": { - "First": 80, - "Last": 80 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.0.0.0/8", - "Ports": { - "First": 80, - "Last": 80 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.0.0.0/8", - "Ports": { - "First": 80, - "Last": 80 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D1_basic_route_auto_approval.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D1_basic_route_auto_approval.json deleted file mode 100644 index eed0cc03..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D1_basic_route_auto_approval.json +++ /dev/null @@ -1,208 +0,0 @@ -{ - "test_id": "ROUTES-D1_basic_route_auto_approval", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D2_nested_prefix_approval.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D2_nested_prefix_approval.json deleted file mode 100644 index a61b2c60..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D2_nested_prefix_approval.json +++ /dev/null @@ -1,208 +0,0 @@ -{ - "test_id": "ROUTES-D2_nested_prefix_approval", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D3_exact_prefix_approval.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D3_exact_prefix_approval.json deleted file mode 100644 index 02d8ae8e..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D3_exact_prefix_approval.json +++ /dev/null @@ -1,208 +0,0 @@ -{ - "test_id": "ROUTES-D3_exact_prefix_approval", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D4_prefix_not_covered.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D4_prefix_not_covered.json deleted file mode 100644 index f78b75d8..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D4_prefix_not_covered.json +++ /dev/null @@ -1,208 +0,0 @@ -{ - "test_id": "ROUTES-D4_prefix_not_covered", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router2": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D5_wrong_tag_not_approved.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D5_wrong_tag_not_approved.json deleted file mode 100644 index 0b49beb2..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D5_wrong_tag_not_approved.json +++ /dev/null @@ -1,236 +0,0 @@ -{ - "test_id": "ROUTES-D5_wrong_tag_not_approved", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:router"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.100.100.1/32", - "100.119.139.79/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::4001:8ba0/128", - "fd7a:115c:a1e0::6401:6401/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.100.100.1/32", - "100.119.139.79/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::4001:8ba0/128", - "fd7a:115c:a1e0::6401:6401/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router1": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.100.100.1/32", - "100.119.139.79/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::4001:8ba0/128", - "fd7a:115c:a1e0::6401:6401/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router2": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.100.100.1/32", - "100.119.139.79/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::4001:8ba0/128", - "fd7a:115c:a1e0::6401:6401/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D6_exit_node_auto_approval.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D6_exit_node_auto_approval.json deleted file mode 100644 index 20bff5b2..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D6_exit_node_auto_approval.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "test_id": "ROUTES-D6_exit_node_auto_approval", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D7_exit_auto_approval_wrong_tag.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D7_exit_auto_approval_wrong_tag.json deleted file mode 100644 index fb6367c9..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D7_exit_auto_approval_wrong_tag.json +++ /dev/null @@ -1,147 +0,0 @@ -{ - "test_id": "ROUTES-D7_exit_auto_approval_wrong_tag", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:exit"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.121.32.1/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::7f01:2004/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D8_auto_approval_acl_interaction.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D8_auto_approval_acl_interaction.json deleted file mode 100644 index 71e18870..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D8_auto_approval_acl_interaction.json +++ /dev/null @@ -1,236 +0,0 @@ -{ - "test_id": "ROUTES-D8_auto_approval_acl_interaction", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["10.33.0.0/16:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D9_auto_approval_triggers_on_advertise.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-D9_auto_approval_triggers_on_advertise.json deleted file mode 100644 index d1bce5a6..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-D9_auto_approval_triggers_on_advertise.json +++ /dev/null @@ -1,208 +0,0 @@ -{ - "test_id": "ROUTES-D9_auto_approval_triggers_on_advertise", - "source": "headscale_adapted", - "parent_test": "AutoApprover", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E1_ha_two_routers_same_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-E1_ha_two_routers_same_subnet.json deleted file mode 100644 index 7dd08c80..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E1_ha_two_routers_same_subnet.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-E1_ha_two_routers_same_subnet", - "source": "headscale_adapted", - "parent_test": "HARouters", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router2": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E2_ha_primary_in_allowedips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-E2_ha_primary_in_allowedips.json deleted file mode 100644 index a1079b1a..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E2_ha_primary_in_allowedips.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "test_id": "ROUTES-E2_ha_primary_in_allowedips", - "source": "headscale_adapted", - "parent_test": "HARouters", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E3_ha_secondary_no_route_in_allowedips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-E3_ha_secondary_no_route_in_allowedips.json deleted file mode 100644 index d726b217..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E3_ha_secondary_no_route_in_allowedips.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "test_id": "ROUTES-E3_ha_secondary_no_route_in_allowedips", - "source": "headscale_adapted", - "parent_test": "HARouters", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E4_ha_both_get_filters_host_alias.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-E4_ha_both_get_filters_host_alias.json deleted file mode 100644 index abd25a5c..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E4_ha_both_get_filters_host_alias.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-E4_ha_both_get_filters_host_alias", - "source": "headscale_adapted", - "parent_test": "HARouters", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["subnet24:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E5_first_advertiser_is_primary.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-E5_first_advertiser_is_primary.json deleted file mode 100644 index 3ffe8c8e..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-E5_first_advertiser_is_primary.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-E5_first_advertiser_is_primary", - "source": "headscale_adapted", - "parent_test": "HARouters", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router2": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F1_filter_on_destination_not_source.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F1_filter_on_destination_not_source.json deleted file mode 100644 index 56687483..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F1_filter_on_destination_not_source.json +++ /dev/null @@ -1,194 +0,0 @@ -{ - "test_id": "ROUTES-F1_filter_on_destination_not_source", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["10.33.0.0/16:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F2_subnet_as_acl_source.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F2_subnet_as_acl_source.json deleted file mode 100644 index 3ebe60a4..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F2_subnet_as_acl_source.json +++ /dev/null @@ -1,299 +0,0 @@ -{ - "test_id": "ROUTES-F2_subnet_as_acl_source", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["10.33.0.0/16"], - "dst": ["autogroup:member:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": ["10.33.0.0/16"], - "DstPorts": [ - { - "IP": "100.116.73.38/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.89.42.23/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.90.199.68/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::a801:4949/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::d01:2a2e/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::2d01:c747/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "client2": { - "packet_filter_rules": [ - { - "SrcIPs": ["10.33.0.0/16"], - "DstPorts": [ - { - "IP": "100.116.73.38/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.89.42.23/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.90.199.68/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::a801:4949/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::d01:2a2e/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::2d01:c747/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "user1": { - "packet_filter_rules": [ - { - "SrcIPs": ["10.33.0.0/16"], - "DstPorts": [ - { - "IP": "100.116.73.38/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.89.42.23/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.90.199.68/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::a801:4949/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::d01:2a2e/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::2d01:c747/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F3_wildcard_src_specific_dst.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F3_wildcard_src_specific_dst.json deleted file mode 100644 index b43c9124..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F3_wildcard_src_specific_dst.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-F3_wildcard_src_specific_dst", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F4_specific_src_wildcard_dst.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F4_specific_src_wildcard_dst.json deleted file mode 100644 index 28650fb0..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F4_specific_src_wildcard_dst.json +++ /dev/null @@ -1,173 +0,0 @@ -{ - "test_id": "ROUTES-F4_specific_src_wildcard_dst", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:router"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.100.100.1/32", - "100.119.139.79/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::4001:8ba0/128", - "fd7a:115c:a1e0::6401:6401/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F5_bidirectional_subnet_access.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F5_bidirectional_subnet_access.json deleted file mode 100644 index 5ddd050d..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F5_bidirectional_subnet_access.json +++ /dev/null @@ -1,248 +0,0 @@ -{ - "test_id": "ROUTES-F5_bidirectional_subnet_access", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["10.33.0.0/16:*"] - }, - { - "action": "accept", - "src": ["10.33.0.0/16"], - "dst": ["autogroup:member:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": ["10.33.0.0/16"], - "DstPorts": [ - { - "IP": "100.116.73.38/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.89.42.23/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.90.199.68/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::2d01:c747/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::a801:4949/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::d01:2a2e/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::2d01:c747/128", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::2d01:c747/128", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F6_filter_srcips_expansion.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F6_filter_srcips_expansion.json deleted file mode 100644 index a7496834..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F6_filter_srcips_expansion.json +++ /dev/null @@ -1,194 +0,0 @@ -{ - "test_id": "ROUTES-F6_filter_srcips_expansion", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["10.33.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::2d01:c747/128", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::2d01:c747/128", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128" - ], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F7_filter_dstports_shows_acl_cidr.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F7_filter_dstports_shows_acl_cidr.json deleted file mode 100644 index bc70e0d1..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F7_filter_dstports_shows_acl_cidr.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-F7_filter_dstports_shows_acl_cidr", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.1.0/24:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.1.0/24", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.1.0/24", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F8_route_enabled_acl_denies.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F8_route_enabled_acl_denies.json deleted file mode 100644 index 7dc74a38..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F8_route_enabled_acl_denies.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-F8_route_enabled_acl_denies", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["group:empty"], - "dst": ["10.33.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F9_route_disabled_acl_allows.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-F9_route_disabled_acl_allows.json deleted file mode 100644 index 346ed379..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-F9_route_disabled_acl_allows.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-F9_route_disabled_acl_allows", - "source": "headscale_adapted", - "parent_test": "FilterPlacement", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.99.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G1_port_restriction_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-G1_port_restriction_subnet.json deleted file mode 100644 index cf98b525..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G1_port_restriction_subnet.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-G1_port_restriction_subnet", - "source": "headscale_adapted", - "parent_test": "ProtocolPort", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["10.33.0.0/16:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G2_port_range_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-G2_port_range_subnet.json deleted file mode 100644 index 8ba71ffa..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G2_port_range_subnet.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "test_id": "ROUTES-G2_port_range_subnet", - "source": "headscale_adapted", - "parent_test": "ProtocolPort", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:80-443"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G3_multiple_ports_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-G3_multiple_ports_subnet.json deleted file mode 100644 index bf4ac5dd..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G3_multiple_ports_subnet.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-G3_multiple_ports_subnet", - "source": "headscale_adapted", - "parent_test": "AdditionalG", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:22,80,443"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G4_protocol_icmp_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-G4_protocol_icmp_subnet.json deleted file mode 100644 index 4cd3d20d..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G4_protocol_icmp_subnet.json +++ /dev/null @@ -1,209 +0,0 @@ -{ - "test_id": "ROUTES-G4_protocol_icmp_subnet", - "source": "headscale_adapted", - "parent_test": "AdditionalProtocol", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:*"], - "proto": "icmp" - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [1] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [1] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [1] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [1] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G5_protocol_tcp_only.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-G5_protocol_tcp_only.json deleted file mode 100644 index e3ec7225..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G5_protocol_tcp_only.json +++ /dev/null @@ -1,209 +0,0 @@ -{ - "test_id": "ROUTES-G5_protocol_tcp_only", - "source": "headscale_adapted", - "parent_test": "AdditionalProtocol", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:22"], - "proto": "tcp" - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G6_protocol_udp_only.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-G6_protocol_udp_only.json deleted file mode 100644 index d2ca9172..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G6_protocol_udp_only.json +++ /dev/null @@ -1,209 +0,0 @@ -{ - "test_id": "ROUTES-G6_protocol_udp_only", - "source": "headscale_adapted", - "parent_test": "AdditionalProtocol", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:53"], - "proto": "udp" - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 53, - "Last": 53 - } - } - ], - "IPProto": [17] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 53, - "Last": 53 - } - } - ], - "IPProto": [17] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 53, - "Last": 53 - } - } - ], - "IPProto": [17] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 53, - "Last": 53 - } - } - ], - "IPProto": [17] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G7_all_ports_wildcard.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-G7_all_ports_wildcard.json deleted file mode 100644 index 74a8cce4..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G7_all_ports_wildcard.json +++ /dev/null @@ -1,137 +0,0 @@ -{ - "test_id": "ROUTES-G7_all_ports_wildcard", - "source": "headscale_adapted", - "parent_test": "ProtocolPort", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["10.33.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G8_default_ipproto.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-G8_default_ipproto.json deleted file mode 100644 index 5d95947e..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-G8_default_ipproto.json +++ /dev/null @@ -1,131 +0,0 @@ -{ - "test_id": "ROUTES-G8_default_ipproto", - "source": "headscale_adapted", - "parent_test": "AdditionalG", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H10_very_small_prefix.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H10_very_small_prefix.json deleted file mode 100644 index d996d48c..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H10_very_small_prefix.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-H10_very_small_prefix", - "source": "headscale_adapted", - "parent_test": "EdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.100/32:80"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.100/32", - "Ports": { - "First": 80, - "Last": 80 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.100/32", - "Ports": { - "First": 80, - "Last": 80 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H11_ipv6_small_prefix.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H11_ipv6_small_prefix.json deleted file mode 100644 index bc91ab8e..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H11_ipv6_small_prefix.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-H11_ipv6_small_prefix", - "source": "headscale_adapted", - "parent_test": "AdditionalEdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["fd00::1/128:443"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "fd00::1/128", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "fd00::1/128", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H1_wildcard_srcips_format.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H1_wildcard_srcips_format.json deleted file mode 100644 index 98290253..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H1_wildcard_srcips_format.json +++ /dev/null @@ -1,157 +0,0 @@ -{ - "test_id": "ROUTES-H1_wildcard_srcips_format", - "source": "headscale_adapted", - "parent_test": "EdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["tag:router:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.64.0.0/10", - "fd7a:115c:a1e0::/48", - "10.0.0.0/8", - "10.33.0.0/16", - "172.16.0.0/24", - "192.168.1.0/24" - ] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H2_wildcard_dstports_format.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H2_wildcard_dstports_format.json deleted file mode 100644 index 8b36eaa9..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H2_wildcard_dstports_format.json +++ /dev/null @@ -1,173 +0,0 @@ -{ - "test_id": "ROUTES-H2_wildcard_dstports_format", - "source": "headscale_adapted", - "parent_test": "EdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::2d01:c747/128", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128" - ], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H3_cgnat_range_expansion.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H3_cgnat_range_expansion.json deleted file mode 100644 index df2dd12c..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H3_cgnat_range_expansion.json +++ /dev/null @@ -1,201 +0,0 @@ -{ - "test_id": "ROUTES-H3_cgnat_range_expansion", - "source": "headscale_adapted", - "parent_test": "EdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["tag:router:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "100.100.100.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.119.139.79/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::4001:8ba0/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::6401:6401/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H4_ipv6_range_in_srcips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H4_ipv6_range_in_srcips.json deleted file mode 100644 index dd24116d..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H4_ipv6_range_in_srcips.json +++ /dev/null @@ -1,166 +0,0 @@ -{ - "test_id": "ROUTES-H4_ipv6_range_in_srcips", - "source": "headscale_adapted", - "parent_test": "EdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H5_subnet_overlaps_cgnat.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H5_subnet_overlaps_cgnat.json deleted file mode 100644 index 8c2107c4..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H5_subnet_overlaps_cgnat.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-H5_subnet_overlaps_cgnat", - "source": "headscale_adapted", - "parent_test": "AdditionalEdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["100.64.0.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "100.64.0.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "100.64.0.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H6_loopback_routes_not_distributed.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H6_loopback_routes_not_distributed.json deleted file mode 100644 index c81dca2b..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H6_loopback_routes_not_distributed.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-H6_loopback_routes_not_distributed", - "source": "headscale_adapted", - "parent_test": "AdditionalEdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["127.0.0.1/32:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "127.0.0.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "127.0.0.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H7_two_nodes_same_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H7_two_nodes_same_subnet.json deleted file mode 100644 index ff07bb06..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H7_two_nodes_same_subnet.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-H7_two_nodes_same_subnet", - "source": "headscale_adapted", - "parent_test": "EdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router2": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H8_cgnat_overlap_blocked.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H8_cgnat_overlap_blocked.json deleted file mode 100644 index 2e8a34c7..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H8_cgnat_overlap_blocked.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-H8_cgnat_overlap_blocked", - "source": "headscale_adapted", - "parent_test": "AdditionalEdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["100.100.0.0/16:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H9_large_prefix_works.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-H9_large_prefix_works.json deleted file mode 100644 index 5e7cf160..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-H9_large_prefix_works.json +++ /dev/null @@ -1,173 +0,0 @@ -{ - "test_id": "ROUTES-H9_large_prefix_works", - "source": "headscale_adapted", - "parent_test": "EdgeCases", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["10.0.0.0/8:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::2d01:c747/128", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128" - ], - "DstPorts": [ - { - "IP": "10.0.0.0/8", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I1_ipv6_subnet_route.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-I1_ipv6_subnet_route.json deleted file mode 100644 index c1bd8d72..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I1_ipv6_subnet_route.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "test_id": "ROUTES-I1_ipv6_subnet_route", - "source": "headscale_adapted", - "parent_test": "IPv6", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "ipv6-router": { - "id": 2, - "hostname": "ipv6-router", - "ipv4": "100.119.139.80", - "ipv6": "fd7a:115c:a1e0::4001:8ba1", - "tags": ["tag:router"], - "routable_ips": ["fd00::/48"], - "approved_routes": ["fd00::/48"] - }, - "ipv6-child-router": { - "id": 3, - "hostname": "ipv6-child-router", - "ipv4": "100.119.139.81", - "ipv6": "fd7a:115c:a1e0::4001:8ba2", - "tags": ["tag:router"], - "routable_ips": ["fd00:1::/64"], - "approved_routes": ["fd00:1::/64"] - }, - "ipv6-exit": { - "id": 4, - "hostname": "ipv6-exit", - "ipv4": "100.121.32.2", - "ipv6": "fd7a:115c:a1e0::7f01:2005", - "tags": ["tag:exit"], - "routable_ips": ["::/0"], - "approved_routes": ["::/0"] - } - } - }, - "captures": { - "ipv6-router": { - "packet_filter_rules": null - }, - "ipv6-child-router": { - "packet_filter_rules": null - }, - "ipv6-exit": { - "packet_filter_rules": null - }, - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd00::/48", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I2_ipv6_exit_route.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-I2_ipv6_exit_route.json deleted file mode 100644 index e5c1c8f0..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I2_ipv6_exit_route.json +++ /dev/null @@ -1,142 +0,0 @@ -{ - "test_id": "ROUTES-I2_ipv6_exit_route", - "source": "headscale_adapted", - "parent_test": "AdditionalIPv6", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I3_ipv6_in_wildcard_srcips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-I3_ipv6_in_wildcard_srcips.json deleted file mode 100644 index 58406cda..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I3_ipv6_in_wildcard_srcips.json +++ /dev/null @@ -1,195 +0,0 @@ -{ - "test_id": "ROUTES-I3_ipv6_in_wildcard_srcips", - "source": "headscale_adapted", - "parent_test": "AdditionalIPv6", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["tag:router:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "100.100.100.1/32", - "Ports": { - "First": 22, - "Last": 22 - } - }, - { - "IP": "100.119.139.79/32", - "Ports": { - "First": 22, - "Last": 22 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 22, - "Last": 22 - } - }, - { - "IP": "fd7a:115c:a1e0::4001:8ba0/128", - "Ports": { - "First": 22, - "Last": 22 - } - }, - { - "IP": "fd7a:115c:a1e0::6401:6401/128", - "Ports": { - "First": 22, - "Last": 22 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 22, - "Last": 22 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I4_ipv6_specific_acl.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-I4_ipv6_specific_acl.json deleted file mode 100644 index 4c0d1b0f..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I4_ipv6_specific_acl.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "test_id": "ROUTES-I4_ipv6_specific_acl", - "source": "headscale_adapted", - "parent_test": "IPv6", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["fd00:1::/64:443"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "ipv6-router": { - "id": 2, - "hostname": "ipv6-router", - "ipv4": "100.119.139.80", - "ipv6": "fd7a:115c:a1e0::4001:8ba1", - "tags": ["tag:router"], - "routable_ips": ["fd00::/48"], - "approved_routes": ["fd00::/48"] - }, - "ipv6-child-router": { - "id": 3, - "hostname": "ipv6-child-router", - "ipv4": "100.119.139.81", - "ipv6": "fd7a:115c:a1e0::4001:8ba2", - "tags": ["tag:router"], - "routable_ips": ["fd00:1::/64"], - "approved_routes": ["fd00:1::/64"] - }, - "ipv6-exit": { - "id": 4, - "hostname": "ipv6-exit", - "ipv4": "100.121.32.2", - "ipv6": "fd7a:115c:a1e0::7f01:2005", - "tags": ["tag:exit"], - "routable_ips": ["::/0"], - "approved_routes": ["::/0"] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "ipv6-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "fd00:1::/64", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ipv6-child-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "fd00:1::/64", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ipv6-exit": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "fd00:1::/64", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I5_ipv6_parent_child_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-I5_ipv6_parent_child_routes.json deleted file mode 100644 index b58bae9a..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I5_ipv6_parent_child_routes.json +++ /dev/null @@ -1,118 +0,0 @@ -{ - "test_id": "ROUTES-I5_ipv6_parent_child_routes", - "source": "headscale_adapted", - "parent_test": "IPv6", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["fd00:1:2::/80:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "ipv6-router": { - "id": 2, - "hostname": "ipv6-router", - "ipv4": "100.119.139.80", - "ipv6": "fd7a:115c:a1e0::4001:8ba1", - "tags": ["tag:router"], - "routable_ips": ["fd00::/48"], - "approved_routes": ["fd00::/48"] - }, - "ipv6-child-router": { - "id": 3, - "hostname": "ipv6-child-router", - "ipv4": "100.119.139.81", - "ipv6": "fd7a:115c:a1e0::4001:8ba2", - "tags": ["tag:router"], - "routable_ips": ["fd00:1::/64"], - "approved_routes": ["fd00:1::/64"] - }, - "ipv6-exit": { - "id": 4, - "hostname": "ipv6-exit", - "ipv4": "100.121.32.2", - "ipv6": "fd7a:115c:a1e0::7f01:2005", - "tags": ["tag:exit"], - "routable_ips": ["::/0"], - "approved_routes": ["::/0"] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "ipv6-child-router": { - "packet_filter_rules": null - }, - "ipv6-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.116.73.38/32", "fd7a:115c:a1e0::a801:4949/128"], - "DstPorts": [ - { - "IP": "fd00:1:2::/80", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ipv6-exit": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.116.73.38/32", "fd7a:115c:a1e0::a801:4949/128"], - "DstPorts": [ - { - "IP": "fd00:1:2::/80", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I6_dual_stack_node.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-I6_dual_stack_node.json deleted file mode 100644 index a1af97e6..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I6_dual_stack_node.json +++ /dev/null @@ -1,185 +0,0 @@ -{ - "test_id": "ROUTES-I6_dual_stack_node", - "source": "headscale_adapted", - "parent_test": "AdditionalIPv6", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:*"] - }, - { - "action": "accept", - "src": ["*"], - "dst": ["fd00:1::/64:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.0.0/16", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I7_ipv6_exit_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-I7_ipv6_exit_coverage.json deleted file mode 100644 index 83088efe..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-I7_ipv6_exit_coverage.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "test_id": "ROUTES-I7_ipv6_exit_coverage", - "source": "headscale_adapted", - "parent_test": "IPv6", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["2001:db8::/32:443"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "ipv6-router": { - "id": 2, - "hostname": "ipv6-router", - "ipv4": "100.119.139.80", - "ipv6": "fd7a:115c:a1e0::4001:8ba1", - "tags": ["tag:router"], - "routable_ips": ["fd00::/48"], - "approved_routes": ["fd00::/48"] - }, - "ipv6-child-router": { - "id": 3, - "hostname": "ipv6-child-router", - "ipv4": "100.119.139.81", - "ipv6": "fd7a:115c:a1e0::4001:8ba2", - "tags": ["tag:router"], - "routable_ips": ["fd00:1::/64"], - "approved_routes": ["fd00:1::/64"] - }, - "ipv6-exit": { - "id": 4, - "hostname": "ipv6-exit", - "ipv4": "100.121.32.2", - "ipv6": "fd7a:115c:a1e0::7f01:2005", - "tags": ["tag:exit"], - "routable_ips": ["::/0"], - "approved_routes": ["::/0"] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "ipv6-router": { - "packet_filter_rules": null - }, - "ipv6-child-router": { - "packet_filter_rules": null - }, - "ipv6-exit": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "2001:db8::/32", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O10_acl_dest_covered_by_multiple.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O10_acl_dest_covered_by_multiple.json deleted file mode 100644 index 21757d22..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O10_acl_dest_covered_by_multiple.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O10_acl_dest_covered_by_multiple", - "source": "headscale_adapted", - "parent_test": "AdditionalO", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.1.0/24:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O11_acl_dest_not_covered.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O11_acl_dest_not_covered.json deleted file mode 100644 index 033c873d..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O11_acl_dest_not_covered.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O11_acl_dest_not_covered", - "source": "headscale_adapted", - "parent_test": "AdditionalO", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["192.168.99.0/24:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O12_filter_dest_is_acl_cidr.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O12_filter_dest_is_acl_cidr.json deleted file mode 100644 index 75ef51b3..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O12_filter_dest_is_acl_cidr.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O12_filter_dest_is_acl_cidr", - "source": "headscale_adapted", - "parent_test": "Overlapping", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.1.0/24:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O1_overlapping_routes_not_merged.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O1_overlapping_routes_not_merged.json deleted file mode 100644 index cd69ac8d..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O1_overlapping_routes_not_merged.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O1_overlapping_routes_not_merged", - "source": "headscale_adapted", - "parent_test": "AdditionalO", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "client1": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O2_ha_routers_both_get_filter.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O2_ha_routers_both_get_filter.json deleted file mode 100644 index 1720d849..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O2_ha_routers_both_get_filter.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O2_ha_routers_both_get_filter", - "source": "headscale_adapted", - "parent_test": "Overlapping", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O3_parent_child_different_nodes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O3_parent_child_different_nodes.json deleted file mode 100644 index 58630780..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O3_parent_child_different_nodes.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O3_parent_child_different_nodes", - "source": "headscale_adapted", - "parent_test": "Overlapping", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.1.0/24:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O4_three_way_hierarchy.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O4_three_way_hierarchy.json deleted file mode 100644 index feb23215..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O4_three_way_hierarchy.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O4_three_way_hierarchy", - "source": "headscale_adapted", - "parent_test": "AdditionalO", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.1.128/25:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O5_sibling_routes_with_parent_acl.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O5_sibling_routes_with_parent_acl.json deleted file mode 100644 index 5e2d493c..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O5_sibling_routes_with_parent_acl.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O5_sibling_routes_with_parent_acl", - "source": "headscale_adapted", - "parent_test": "AdditionalO", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.0.0.0/8:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O6_exit_route_expands_filter_dist.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O6_exit_route_expands_filter_dist.json deleted file mode 100644 index 55b38e0a..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O6_exit_route_expands_filter_dist.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-O6_exit_route_expands_filter_dist", - "source": "headscale_adapted", - "parent_test": "Overlapping", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["8.8.8.0/24:53"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "8.8.8.0/24", - "Ports": { - "First": 53, - "Last": 53 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "8.8.8.0/24", - "Ports": { - "First": 53, - "Last": 53 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O7_specific_ip_targeting.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O7_specific_ip_targeting.json deleted file mode 100644 index 9cd5c63f..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O7_specific_ip_targeting.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-O7_specific_ip_targeting", - "source": "headscale_adapted", - "parent_test": "AdditionalO", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.100/32:80"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O8_same_node_overlapping_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O8_same_node_overlapping_routes.json deleted file mode 100644 index 9c4b2b8a..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O8_same_node_overlapping_routes.json +++ /dev/null @@ -1,208 +0,0 @@ -{ - "test_id": "ROUTES-O8_same_node_overlapping_routes", - "source": "headscale_adapted", - "parent_test": "AdditionalOverlapping", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "big-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "10.33.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O9_different_nodes_same_route.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-O9_different_nodes_same_route.json deleted file mode 100644 index b9da38f4..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-O9_different_nodes_same_route.json +++ /dev/null @@ -1,236 +0,0 @@ -{ - "test_id": "ROUTES-O9_different_nodes_same_route", - "source": "headscale_adapted", - "parent_test": "AdditionalOverlapping", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["192.168.1.0/24:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "ha-router2": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.116.73.38/32", - "100.89.42.23/32", - "100.90.199.68/32", - "fd7a:115c:a1e0::a801:4949/128", - "fd7a:115c:a1e0::d01:2a2e/128", - "fd7a:115c:a1e0::2d01:c747/128" - ], - "DstPorts": [ - { - "IP": "192.168.1.0/24", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R1_exit_covers_external_dest.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-R1_exit_covers_external_dest.json deleted file mode 100644 index d341c5bb..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R1_exit_covers_external_dest.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-R1_exit_covers_external_dest", - "source": "headscale_adapted", - "parent_test": "RouteCoverage", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["8.8.8.0/24:53"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "8.8.8.0/24", - "Ports": { - "First": 53, - "Last": 53 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "8.8.8.0/24", - "Ports": { - "First": 53, - "Last": 53 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R2_parent_route_covers_child_dest.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-R2_parent_route_covers_child_dest.json deleted file mode 100644 index 24b19431..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R2_parent_route_covers_child_dest.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-R2_parent_route_covers_child_dest", - "source": "headscale_adapted", - "parent_test": "RouteCoverage", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.1.0/24:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R3_sibling_routes_no_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-R3_sibling_routes_no_coverage.json deleted file mode 100644 index 8fc3887a..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R3_sibling_routes_no_coverage.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-R3_sibling_routes_no_coverage", - "source": "headscale_adapted", - "parent_test": "RouteCoverage", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.34.0.0/16:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R4_exact_match_route.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-R4_exact_match_route.json deleted file mode 100644 index 683ecc13..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R4_exact_match_route.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-R4_exact_match_route", - "source": "headscale_adapted", - "parent_test": "RouteCoverage", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R5_route_coverage_check_logic.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-R5_route_coverage_check_logic.json deleted file mode 100644 index 074e6628..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R5_route_coverage_check_logic.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-R5_route_coverage_check_logic", - "source": "headscale_adapted", - "parent_test": "AdditionalR", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.1.0/24:22"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R6_ipv6_route_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-R6_ipv6_route_coverage.json deleted file mode 100644 index bb14acfc..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R6_ipv6_route_coverage.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-R6_ipv6_route_coverage", - "source": "headscale_adapted", - "parent_test": "AdditionalR", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["fd7a:115c:a1e0::1/128:443"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R7_exit_ipv6_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-R7_exit_ipv6_coverage.json deleted file mode 100644 index fd03a3cc..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R7_exit_ipv6_coverage.json +++ /dev/null @@ -1,180 +0,0 @@ -{ - "test_id": "ROUTES-R7_exit_ipv6_coverage", - "source": "headscale_adapted", - "parent_test": "AdditionalR", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["2001:db8::1/128:443"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "2001:db8::1/128", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": ["100.64.0.0/10", "fd7a:115c:a1e0::/48"], - "DstPorts": [ - { - "IP": "2001:db8::1/128", - "Ports": { - "First": 443, - "Last": 443 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R8_mixed_ipv4_ipv6_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-R8_mixed_ipv4_ipv6_coverage.json deleted file mode 100644 index 375069a0..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-R8_mixed_ipv4_ipv6_coverage.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-R8_mixed_ipv4_ipv6_coverage", - "source": "headscale_adapted", - "parent_test": "AdditionalR", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["10.33.0.0/16:*", "fd7a:115c:a1e0::/64:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T1_tags_resolve_to_ips_not_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-T1_tags_resolve_to_ips_not_routes.json deleted file mode 100644 index b31702b6..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T1_tags_resolve_to_ips_not_routes.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-T1_tags_resolve_to_ips_not_routes", - "source": "headscale_adapted", - "parent_test": "TagResolution", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:router"], - "dst": ["tag:router:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T2_tag_to_tag_with_exit.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-T2_tag_to_tag_with_exit.json deleted file mode 100644 index e1d68c8f..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T2_tag_to_tag_with_exit.json +++ /dev/null @@ -1,232 +0,0 @@ -{ - "test_id": "ROUTES-T2_tag_to_tag_with_exit", - "source": "headscale_adapted", - "parent_test": "TagResolution", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:exit"], - "dst": ["tag:exit:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.121.32.1/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::7f01:2004/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "100.121.32.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::7f01:2004/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.121.32.1/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::7f01:2004/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "100.121.32.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::7f01:2004/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T3_tag_src_includes_all_tagged.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-T3_tag_src_includes_all_tagged.json deleted file mode 100644 index dbce7c4b..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T3_tag_src_includes_all_tagged.json +++ /dev/null @@ -1,165 +0,0 @@ -{ - "test_id": "ROUTES-T3_tag_src_includes_all_tagged", - "source": "headscale_adapted", - "parent_test": "AdditionalT", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:router"], - "dst": ["*:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "client1": { - "packet_filter_rules": [ - { - "SrcIPs": [], - "DstPorts": [ - { - "IP": "*", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T4_tag_dst_includes_all_tagged.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-T4_tag_dst_includes_all_tagged.json deleted file mode 100644 index 92257dda..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T4_tag_dst_includes_all_tagged.json +++ /dev/null @@ -1,152 +0,0 @@ -{ - "test_id": "ROUTES-T4_tag_dst_includes_all_tagged", - "source": "headscale_adapted", - "parent_test": "AdditionalT", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["*"], - "dst": ["tag:ha:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": null - }, - "multi-router": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T5_multi_tag_node_in_both.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-T5_multi_tag_node_in_both.json deleted file mode 100644 index cb942e6c..00000000 --- a/hscontrol/policy/v2/testdata/routes_results/ROUTES-T5_multi_tag_node_in_both.json +++ /dev/null @@ -1,236 +0,0 @@ -{ - "test_id": "ROUTES-T5_multi_tag_node_in_both", - "source": "headscale_adapted", - "parent_test": "TagResolution", - "input": { - "full_policy": { - "groups": { - "group:admins": ["kratail2tid@"], - "group:empty": [] - }, - "tagOwners": { - "tag:router": ["kratail2tid@"], - "tag:exit": ["kratail2tid@"], - "tag:ha": ["kratail2tid@"] - }, - "hosts": { - "internal": "10.0.0.0/8", - "subnet24": "192.168.1.0/24" - }, - "acls": [ - { - "action": "accept", - "src": ["tag:router"], - "dst": ["tag:exit:*"] - } - ] - } - }, - "topology": { - "users": [ - { - "id": 1, - "name": "kratail2tid" - } - ], - "nodes": { - "client1": { - "id": 1, - "hostname": "client1", - "ipv4": "100.116.73.38", - "ipv6": "fd7a:115c:a1e0::a801:4949", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "client2": { - "id": 2, - "hostname": "client2", - "ipv4": "100.89.42.23", - "ipv6": "fd7a:115c:a1e0::d01:2a2e", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - }, - "subnet-router": { - "id": 3, - "hostname": "subnet-router", - "ipv4": "100.119.139.79", - "ipv6": "fd7a:115c:a1e0::4001:8ba0", - "tags": ["tag:router"], - "routable_ips": ["10.33.0.0/16"], - "approved_routes": ["10.33.0.0/16"] - }, - "exit-node": { - "id": 4, - "hostname": "exit-node", - "ipv4": "100.121.32.1", - "ipv6": "fd7a:115c:a1e0::7f01:2004", - "tags": ["tag:exit"], - "routable_ips": ["0.0.0.0/0", "::/0"], - "approved_routes": ["0.0.0.0/0", "::/0"] - }, - "multi-router": { - "id": 5, - "hostname": "multi-router", - "ipv4": "100.74.117.7", - "ipv6": "fd7a:115c:a1e0::c401:7508", - "tags": ["tag:router", "tag:exit"], - "routable_ips": ["172.16.0.0/24", "0.0.0.0/0", "::/0"], - "approved_routes": ["172.16.0.0/24", "0.0.0.0/0", "::/0"] - }, - "ha-router1": { - "id": 6, - "hostname": "ha-router1", - "ipv4": "100.85.37.108", - "ipv6": "fd7a:115c:a1e0::f101:2597", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "ha-router2": { - "id": 7, - "hostname": "ha-router2", - "ipv4": "100.119.130.32", - "ipv6": "fd7a:115c:a1e0::4501:82a9", - "tags": ["tag:ha"], - "routable_ips": ["192.168.1.0/24"], - "approved_routes": ["192.168.1.0/24"] - }, - "big-router": { - "id": 8, - "hostname": "big-router", - "ipv4": "100.100.100.1", - "ipv6": "fd7a:115c:a1e0::6401:6401", - "tags": ["tag:router"], - "routable_ips": ["10.0.0.0/8"], - "approved_routes": ["10.0.0.0/8"] - }, - "user1": { - "id": 9, - "hostname": "user1", - "ipv4": "100.90.199.68", - "ipv6": "fd7a:115c:a1e0::2d01:c747", - "tags": [], - "user": "kratail2tid", - "routable_ips": [], - "approved_routes": [] - } - } - }, - "captures": { - "client1": { - "packet_filter_rules": null - }, - "client2": { - "packet_filter_rules": null - }, - "subnet-router": { - "packet_filter_rules": null - }, - "ha-router1": { - "packet_filter_rules": null - }, - "ha-router2": { - "packet_filter_rules": null - }, - "big-router": { - "packet_filter_rules": null - }, - "user1": { - "packet_filter_rules": null - }, - "exit-node": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.100.100.1/32", - "100.119.139.79/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::4001:8ba0/128", - "fd7a:115c:a1e0::6401:6401/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "100.121.32.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::7f01:2004/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - }, - "multi-router": { - "packet_filter_rules": [ - { - "SrcIPs": [ - "100.100.100.1/32", - "100.119.139.79/32", - "100.74.117.7/32", - "fd7a:115c:a1e0::4001:8ba0/128", - "fd7a:115c:a1e0::6401:6401/128", - "fd7a:115c:a1e0::c401:7508/128" - ], - "DstPorts": [ - { - "IP": "100.121.32.1/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "100.74.117.7/32", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::7f01:2004/128", - "Ports": { - "First": 0, - "Last": 65535 - } - }, - { - "IP": "fd7a:115c:a1e0::c401:7508/128", - "Ports": { - "First": 0, - "Last": 65535 - } - } - ], - "IPProto": [6, 17, 1, 58] - } - ] - } - } -} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-a1_wildcard_acl_includes_routes_in_srcips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a1_wildcard_acl_includes_routes_in_srcips.json new file mode 100644 index 00000000..46146358 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a1_wildcard_acl_includes_routes_in_srcips.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-a1_wildcard_acl_includes_routes_in_srcips", + "timestamp": "2026-03-17T16:13:48Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_a1_wildcard_acl_includes_routes_in_srcips.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-a2_tag_based_acl_excludes_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a2_tag_based_acl_excludes_routes.json new file mode 100644 index 00000000..179a0055 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a2_tag_based_acl_excludes_routes.json @@ -0,0 +1,243 @@ +{ + "test_id": "ROUTES-a2_tag_based_acl_excludes_routes", + "timestamp": "2026-03-17T16:13:59Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_a2_tag_based_acl_excludes_routes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:router"], + "dst": ["tag:router:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "100.97.174.21", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::5137:ae15", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "100.119.241.111", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3337:f16f", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "100.92.142.61", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3e37:8e3d", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-a3_explicit_subnet_filter_to_router.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a3_explicit_subnet_filter_to_router.json new file mode 100644 index 00000000..732d79bb --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a3_explicit_subnet_filter_to_router.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-a3_explicit_subnet_filter_to_router", + "timestamp": "2026-03-17T16:14:20Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_a3_explicit_subnet_filter_to_router.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-a3b_autogroup_member_to_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a3b_autogroup_member_to_subnet.json new file mode 100644 index 00000000..61926732 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a3b_autogroup_member_to_subnet.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-a3b_autogroup_member_to_subnet", + "timestamp": "2026-03-17T16:14:10Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_a3b_autogroup_member_to_subnet.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["10.33.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-a4_multiple_routes_same_router.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a4_multiple_routes_same_router.json new file mode 100644 index 00000000..c2ec24db --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a4_multiple_routes_same_router.json @@ -0,0 +1,183 @@ +{ + "test_id": "ROUTES-a4_multiple_routes_same_router", + "timestamp": "2026-03-17T16:14:31Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_a4_multiple_routes_same_router.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["172.16.0.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "172.16.0.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-a5_host_alias_to_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a5_host_alias_to_subnet.json new file mode 100644 index 00000000..44a586cb --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-a5_host_alias_to_subnet.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-a5_host_alias_to_subnet", + "timestamp": "2026-03-17T16:14:41Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_a5_host_alias_to_subnet.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["internal:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.0.0.0/8", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.0.0.0/8", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b10_exit_routes_not_in_primaryroutes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b10_exit_routes_not_in_primaryroutes.json new file mode 100644 index 00000000..a42c0802 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b10_exit_routes_not_in_primaryroutes.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-b10_exit_routes_not_in_primaryroutes", + "timestamp": "2026-03-17T16:14:52Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b10_exit_routes_not_in_primaryroutes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b1_exit_routes_not_in_srcips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b1_exit_routes_not_in_srcips.json new file mode 100644 index 00000000..b4fd7fba --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b1_exit_routes_not_in_srcips.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-b1_exit_routes_not_in_srcips", + "timestamp": "2026-03-17T16:15:03Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b1_exit_routes_not_in_srcips.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b2_tag_exit_excludes_exit_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b2_tag_exit_excludes_exit_routes.json new file mode 100644 index 00000000..aacbbe2e --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b2_tag_exit_excludes_exit_routes.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-b2_tag_exit_excludes_exit_routes", + "timestamp": "2026-03-17T16:15:13Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b2_tag_exit_excludes_exit_routes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:exit"], + "dst": ["tag:exit:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "100.85.66.106", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::7c37:426a", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "100.119.241.111", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3337:f16f", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b3_exit_node_advertises_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b3_exit_node_advertises_routes.json new file mode 100644 index 00000000..11db46b8 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b3_exit_node_advertises_routes.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-b3_exit_node_advertises_routes", + "timestamp": "2026-03-17T16:15:24Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b3_exit_node_advertises_routes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b4_multi_router_has_both_route_types.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b4_multi_router_has_both_route_types.json new file mode 100644 index 00000000..166ffe73 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b4_multi_router_has_both_route_types.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-b4_multi_router_has_both_route_types", + "timestamp": "2026-03-17T16:15:35Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b4_multi_router_has_both_route_types.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b5_exit_with_wildcard_dst.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b5_exit_with_wildcard_dst.json new file mode 100644 index 00000000..3cb201b9 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b5_exit_with_wildcard_dst.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-b5_exit_with_wildcard_dst", + "timestamp": "2026-03-17T16:15:45Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b5_exit_with_wildcard_dst.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b6_exit_node_option_field.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b6_exit_node_option_field.json new file mode 100644 index 00000000..97a8a2ab --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b6_exit_node_option_field.json @@ -0,0 +1,318 @@ +{ + "test_id": "ROUTES-b6_exit_node_option_field", + "timestamp": "2026-03-17T16:15:56Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b6_exit_node_option_field.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:exit"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b7_multiple_exit_nodes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b7_multiple_exit_nodes.json new file mode 100644 index 00000000..301e5de5 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b7_multiple_exit_nodes.json @@ -0,0 +1,318 @@ +{ + "test_id": "ROUTES-b7_multiple_exit_nodes", + "timestamp": "2026-03-17T16:16:07Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b7_multiple_exit_nodes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:exit"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b8_autogroup_internet_no_filters.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b8_autogroup_internet_no_filters.json new file mode 100644 index 00000000..e43aec05 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b8_autogroup_internet_no_filters.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-b8_autogroup_internet_no_filters", + "timestamp": "2026-03-17T16:16:17Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b8_autogroup_internet_no_filters.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["autogroup:internet:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-b9_exit_routes_in_allowedips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b9_exit_routes_in_allowedips.json new file mode 100644 index 00000000..249aff93 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-b9_exit_routes_in_allowedips.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-b9_exit_routes_in_allowedips", + "timestamp": "2026-03-17T16:16:28Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_b9_exit_routes_in_allowedips.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d10_auto_approval_retroactive.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d10_auto_approval_retroactive.json new file mode 100644 index 00000000..35c4899a --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d10_auto_approval_retroactive.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-d10_auto_approval_retroactive", + "timestamp": "2026-03-17T16:16:38Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d10_auto_approval_retroactive.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:443"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 443, + "Last": 443 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 443, + "Last": 443 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d11_overlapping_auto_approvers.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d11_overlapping_auto_approvers.json new file mode 100644 index 00000000..140f3bd8 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d11_overlapping_auto_approvers.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-d11_overlapping_auto_approvers", + "timestamp": "2026-03-17T16:16:49Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d11_overlapping_auto_approvers.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.0.0.0/8:80"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.0.0.0/8", + "Ports": { + "First": 80, + "Last": 80 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.0.0.0/8", + "Ports": { + "First": 80, + "Last": 80 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d1_basic_route_auto_approval.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d1_basic_route_auto_approval.json new file mode 100644 index 00000000..dd9b4431 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d1_basic_route_auto_approval.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-d1_basic_route_auto_approval", + "timestamp": "2026-03-17T16:17:00Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d1_basic_route_auto_approval.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d2_nested_prefix_approval.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d2_nested_prefix_approval.json new file mode 100644 index 00000000..171746a9 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d2_nested_prefix_approval.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-d2_nested_prefix_approval", + "timestamp": "2026-03-17T16:17:10Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d2_nested_prefix_approval.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d3_exact_prefix_approval.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d3_exact_prefix_approval.json new file mode 100644 index 00000000..d6c23070 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d3_exact_prefix_approval.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-d3_exact_prefix_approval", + "timestamp": "2026-03-17T16:17:21Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d3_exact_prefix_approval.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d4_prefix_not_covered.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d4_prefix_not_covered.json new file mode 100644 index 00000000..a0705d4c --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d4_prefix_not_covered.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-d4_prefix_not_covered", + "timestamp": "2026-03-17T16:17:32Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d4_prefix_not_covered.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d5_wrong_tag_not_approved.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d5_wrong_tag_not_approved.json new file mode 100644 index 00000000..ba74c733 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d5_wrong_tag_not_approved.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-d5_wrong_tag_not_approved", + "timestamp": "2026-03-17T16:17:42Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d5_wrong_tag_not_approved.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:router"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d6_exit_node_auto_approval.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d6_exit_node_auto_approval.json new file mode 100644 index 00000000..e2621403 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d6_exit_node_auto_approval.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-d6_exit_node_auto_approval", + "timestamp": "2026-03-17T16:17:53Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d6_exit_node_auto_approval.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d7_exit_auto_approval_wrong_tag.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d7_exit_auto_approval_wrong_tag.json new file mode 100644 index 00000000..0dc2fc22 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d7_exit_auto_approval_wrong_tag.json @@ -0,0 +1,318 @@ +{ + "test_id": "ROUTES-d7_exit_auto_approval_wrong_tag", + "timestamp": "2026-03-17T16:18:04Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d7_exit_auto_approval_wrong_tag.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:exit"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d8_auto_approval_acl_interaction.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d8_auto_approval_acl_interaction.json new file mode 100644 index 00000000..5cbe4d20 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d8_auto_approval_acl_interaction.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-d8_auto_approval_acl_interaction", + "timestamp": "2026-03-17T16:18:14Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d8_auto_approval_acl_interaction.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["10.33.0.0/16:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-d9_auto_approval_triggers_on_advertise.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d9_auto_approval_triggers_on_advertise.json new file mode 100644 index 00000000..a99afd67 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-d9_auto_approval_triggers_on_advertise.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-d9_auto_approval_triggers_on_advertise", + "timestamp": "2026-03-17T16:18:25Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_d9_auto_approval_triggers_on_advertise.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-e1_ha_two_routers_same_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e1_ha_two_routers_same_subnet.json new file mode 100644 index 00000000..147f37ec --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e1_ha_two_routers_same_subnet.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-e1_ha_two_routers_same_subnet", + "timestamp": "2026-03-17T16:18:36Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_e1_ha_two_routers_same_subnet.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-e2_ha_primary_in_allowedips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e2_ha_primary_in_allowedips.json new file mode 100644 index 00000000..7a1bef7c --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e2_ha_primary_in_allowedips.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-e2_ha_primary_in_allowedips", + "timestamp": "2026-03-17T16:18:46Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_e2_ha_primary_in_allowedips.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-e3_ha_secondary_no_route_in_allowedips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e3_ha_secondary_no_route_in_allowedips.json new file mode 100644 index 00000000..a1967538 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e3_ha_secondary_no_route_in_allowedips.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-e3_ha_secondary_no_route_in_allowedips", + "timestamp": "2026-03-17T16:18:57Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_e3_ha_secondary_no_route_in_allowedips.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-e4_ha_both_get_filters_host_alias.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e4_ha_both_get_filters_host_alias.json new file mode 100644 index 00000000..31874a95 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e4_ha_both_get_filters_host_alias.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-e4_ha_both_get_filters_host_alias", + "timestamp": "2026-03-17T16:19:07Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_e4_ha_both_get_filters_host_alias.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["subnet24:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-e5_first_advertiser_is_primary.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e5_first_advertiser_is_primary.json new file mode 100644 index 00000000..0376befc --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-e5_first_advertiser_is_primary.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-e5_first_advertiser_is_primary", + "timestamp": "2026-03-17T16:19:18Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_e5_first_advertiser_is_primary.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f1_filter_on_destination_not_source.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f1_filter_on_destination_not_source.json new file mode 100644 index 00000000..7a7c7dc9 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f1_filter_on_destination_not_source.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-f1_filter_on_destination_not_source", + "timestamp": "2026-03-17T16:19:29Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f1_filter_on_destination_not_source.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["10.33.0.0/16:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f2_subnet_as_acl_source.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f2_subnet_as_acl_source.json new file mode 100644 index 00000000..5b98afb8 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f2_subnet_as_acl_source.json @@ -0,0 +1,222 @@ +{ + "test_id": "ROUTES-f2_subnet_as_acl_source", + "timestamp": "2026-03-17T16:19:39Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f2_subnet_as_acl_source.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["10.33.0.0/16"], + "dst": ["autogroup:member:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": ["10.33.0.0/16"], + "DstPorts": [ + { + "IP": "100.110.121.96", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::1737:7960", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": ["10.33.0.0/16"], + "DstPorts": [ + { + "IP": "100.103.90.82", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::9e37:5a52", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": ["10.33.0.0/16"], + "DstPorts": [ + { + "IP": "100.90.199.68", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::2d01:c747", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f3_wildcard_src_specific_dst.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f3_wildcard_src_specific_dst.json new file mode 100644 index 00000000..907143de --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f3_wildcard_src_specific_dst.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-f3_wildcard_src_specific_dst", + "timestamp": "2026-03-17T16:19:50Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f3_wildcard_src_specific_dst.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f4_specific_src_wildcard_dst.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f4_specific_src_wildcard_dst.json new file mode 100644 index 00000000..b9beef80 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f4_specific_src_wildcard_dst.json @@ -0,0 +1,402 @@ +{ + "test_id": "ROUTES-f4_specific_src_wildcard_dst", + "timestamp": "2026-03-17T16:20:01Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f4_specific_src_wildcard_dst.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:router"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f5_bidirectional_subnet_access.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f5_bidirectional_subnet_access.json new file mode 100644 index 00000000..7cb0119f --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f5_bidirectional_subnet_access.json @@ -0,0 +1,267 @@ +{ + "test_id": "ROUTES-f5_bidirectional_subnet_access", + "timestamp": "2026-03-17T16:20:11Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f5_bidirectional_subnet_access.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["10.33.0.0/16:*"] + }, + { + "action": "accept", + "src": ["10.33.0.0/16"], + "dst": ["autogroup:member:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": ["10.33.0.0/16"], + "DstPorts": [ + { + "IP": "100.110.121.96", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::1737:7960", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": ["10.33.0.0/16"], + "DstPorts": [ + { + "IP": "100.103.90.82", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::9e37:5a52", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": ["10.33.0.0/16"], + "DstPorts": [ + { + "IP": "100.90.199.68", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::2d01:c747", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f6_filter_srcips_expansion.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f6_filter_srcips_expansion.json new file mode 100644 index 00000000..1a6b7ce5 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f6_filter_srcips_expansion.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-f6_filter_srcips_expansion", + "timestamp": "2026-03-17T16:20:22Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f6_filter_srcips_expansion.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["10.33.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f7_filter_dstports_shows_acl_cidr.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f7_filter_dstports_shows_acl_cidr.json new file mode 100644 index 00000000..0c2b0a9e --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f7_filter_dstports_shows_acl_cidr.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-f7_filter_dstports_shows_acl_cidr", + "timestamp": "2026-03-17T16:20:32Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f7_filter_dstports_shows_acl_cidr.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.1.0/24:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f8_route_enabled_acl_denies.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f8_route_enabled_acl_denies.json new file mode 100644 index 00000000..b3068be0 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f8_route_enabled_acl_denies.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-f8_route_enabled_acl_denies", + "timestamp": "2026-03-17T16:20:43Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f8_route_enabled_acl_denies.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["group:empty"], + "dst": ["10.33.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-f9_route_disabled_acl_allows.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f9_route_disabled_acl_allows.json new file mode 100644 index 00000000..b6af23d1 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-f9_route_disabled_acl_allows.json @@ -0,0 +1,183 @@ +{ + "test_id": "ROUTES-f9_route_disabled_acl_allows", + "timestamp": "2026-03-17T16:20:54Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_f9_route_disabled_acl_allows.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.99.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.99.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-g1_port_restriction_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g1_port_restriction_subnet.json new file mode 100644 index 00000000..5f0494a4 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g1_port_restriction_subnet.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-g1_port_restriction_subnet", + "timestamp": "2026-03-17T16:21:04Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_g1_port_restriction_subnet.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["10.33.0.0/16:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-g2_port_range_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g2_port_range_subnet.json new file mode 100644 index 00000000..909377f0 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g2_port_range_subnet.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-g2_port_range_subnet", + "timestamp": "2026-03-17T16:21:15Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_g2_port_range_subnet.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:80-443"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 80, + "Last": 443 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 80, + "Last": 443 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-g3_multiple_ports_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g3_multiple_ports_subnet.json new file mode 100644 index 00000000..16fe82ac --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g3_multiple_ports_subnet.json @@ -0,0 +1,232 @@ +{ + "test_id": "ROUTES-g3_multiple_ports_subnet", + "timestamp": "2026-03-17T16:21:26Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_g3_multiple_ports_subnet.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:22,80,443"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + }, + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 80, + "Last": 80 + } + }, + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 443, + "Last": 443 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + }, + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 80, + "Last": 80 + } + }, + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 443, + "Last": 443 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-g4_protocol_icmp_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g4_protocol_icmp_subnet.json new file mode 100644 index 00000000..2bbb5b37 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g4_protocol_icmp_subnet.json @@ -0,0 +1,207 @@ +{ + "test_id": "ROUTES-g4_protocol_icmp_subnet", + "timestamp": "2026-03-17T16:21:36Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_g4_protocol_icmp_subnet.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:*"], + "proto": "icmp" + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ], + "IPProto": [1] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ], + "IPProto": [1] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-g5_protocol_tcp_only.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g5_protocol_tcp_only.json new file mode 100644 index 00000000..a17515eb --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g5_protocol_tcp_only.json @@ -0,0 +1,207 @@ +{ + "test_id": "ROUTES-g5_protocol_tcp_only", + "timestamp": "2026-03-17T16:21:47Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_g5_protocol_tcp_only.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:22"], + "proto": "tcp" + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ], + "IPProto": [6] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ], + "IPProto": [6] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-g6_protocol_udp_only.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g6_protocol_udp_only.json new file mode 100644 index 00000000..1d38c23e --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g6_protocol_udp_only.json @@ -0,0 +1,207 @@ +{ + "test_id": "ROUTES-g6_protocol_udp_only", + "timestamp": "2026-03-17T16:21:58Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_g6_protocol_udp_only.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:53"], + "proto": "udp" + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 53, + "Last": 53 + } + } + ], + "IPProto": [17] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 53, + "Last": 53 + } + } + ], + "IPProto": [17] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-g7_all_ports_wildcard.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g7_all_ports_wildcard.json new file mode 100644 index 00000000..b210a82a --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g7_all_ports_wildcard.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-g7_all_ports_wildcard", + "timestamp": "2026-03-17T16:22:08Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_g7_all_ports_wildcard.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["10.33.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-g8_default_ipproto.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g8_default_ipproto.json new file mode 100644 index 00000000..cf510d19 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-g8_default_ipproto.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-g8_default_ipproto", + "timestamp": "2026-03-17T16:22:19Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_g8_default_ipproto.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h10_very_small_prefix.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h10_very_small_prefix.json new file mode 100644 index 00000000..29d997ac --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h10_very_small_prefix.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-h10_very_small_prefix", + "timestamp": "2026-03-17T16:22:30Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h10_very_small_prefix.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.100/32:80"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.100", + "Ports": { + "First": 80, + "Last": 80 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.100", + "Ports": { + "First": 80, + "Last": 80 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h11_ipv6_small_prefix.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h11_ipv6_small_prefix.json new file mode 100644 index 00000000..4e0126ec --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h11_ipv6_small_prefix.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-h11_ipv6_small_prefix", + "timestamp": "2026-03-17T16:22:40Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h11_ipv6_small_prefix.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["fd00::1/128:443"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h1_wildcard_srcips_format.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h1_wildcard_srcips_format.json new file mode 100644 index 00000000..21bd80a5 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h1_wildcard_srcips_format.json @@ -0,0 +1,246 @@ +{ + "test_id": "ROUTES-h1_wildcard_srcips_format", + "timestamp": "2026-03-17T16:22:51Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h1_wildcard_srcips_format.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["tag:router:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.97.174.21", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::5137:ae15", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.119.241.111", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3337:f16f", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.92.142.61", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3e37:8e3d", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h2_wildcard_dstports_format.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h2_wildcard_dstports_format.json new file mode 100644 index 00000000..2b055074 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h2_wildcard_dstports_format.json @@ -0,0 +1,402 @@ +{ + "test_id": "ROUTES-h2_wildcard_dstports_format", + "timestamp": "2026-03-17T16:23:01Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h2_wildcard_dstports_format.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h3_cgnat_range_expansion.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h3_cgnat_range_expansion.json new file mode 100644 index 00000000..0a813f6c --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h3_cgnat_range_expansion.json @@ -0,0 +1,246 @@ +{ + "test_id": "ROUTES-h3_cgnat_range_expansion", + "timestamp": "2026-03-17T16:23:12Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h3_cgnat_range_expansion.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["tag:router:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.97.174.21", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::5137:ae15", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.119.241.111", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3337:f16f", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.92.142.61", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3e37:8e3d", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h4_ipv6_range_in_srcips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h4_ipv6_range_in_srcips.json new file mode 100644 index 00000000..8d60118f --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h4_ipv6_range_in_srcips.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-h4_ipv6_range_in_srcips", + "timestamp": "2026-03-17T16:23:23Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h4_ipv6_range_in_srcips.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h5_subnet_overlaps_cgnat.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h5_subnet_overlaps_cgnat.json new file mode 100644 index 00000000..e999e39a --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h5_subnet_overlaps_cgnat.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-h5_subnet_overlaps_cgnat", + "timestamp": "2026-03-17T16:23:33Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h5_subnet_overlaps_cgnat.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["100.64.0.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h6_loopback_routes_not_distributed.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h6_loopback_routes_not_distributed.json new file mode 100644 index 00000000..aa221e85 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h6_loopback_routes_not_distributed.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-h6_loopback_routes_not_distributed", + "timestamp": "2026-03-17T16:23:44Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h6_loopback_routes_not_distributed.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["127.0.0.1/32:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h7_two_nodes_same_subnet.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h7_two_nodes_same_subnet.json new file mode 100644 index 00000000..1e4ec0e3 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h7_two_nodes_same_subnet.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-h7_two_nodes_same_subnet", + "timestamp": "2026-03-17T16:23:55Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h7_two_nodes_same_subnet.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h8_cgnat_overlap_blocked.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h8_cgnat_overlap_blocked.json new file mode 100644 index 00000000..56a8b68d --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h8_cgnat_overlap_blocked.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-h8_cgnat_overlap_blocked", + "timestamp": "2026-03-17T16:24:05Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h8_cgnat_overlap_blocked.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["100.100.0.0/16:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-h9_large_prefix_works.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h9_large_prefix_works.json new file mode 100644 index 00000000..7006b5b9 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-h9_large_prefix_works.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-h9_large_prefix_works", + "timestamp": "2026-03-17T16:24:16Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_h9_large_prefix_works.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["10.0.0.0/8:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.0.0.0/8", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "10.0.0.0/8", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-i1_ipv6_subnet_route.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i1_ipv6_subnet_route.json new file mode 100644 index 00000000..7c4d98f8 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i1_ipv6_subnet_route.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-i1_ipv6_subnet_route", + "timestamp": "2026-03-17T16:24:27Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_i1_ipv6_subnet_route.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-i2_ipv6_exit_route.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i2_ipv6_exit_route.json new file mode 100644 index 00000000..0b78700e --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i2_ipv6_exit_route.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-i2_ipv6_exit_route", + "timestamp": "2026-03-17T16:24:37Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_i2_ipv6_exit_route.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-i3_ipv6_in_wildcard_srcips.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i3_ipv6_in_wildcard_srcips.json new file mode 100644 index 00000000..a38dd7c6 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i3_ipv6_in_wildcard_srcips.json @@ -0,0 +1,246 @@ +{ + "test_id": "ROUTES-i3_ipv6_in_wildcard_srcips", + "timestamp": "2026-03-17T16:24:48Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_i3_ipv6_in_wildcard_srcips.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["tag:router:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.97.174.21", + "Ports": { + "First": 22, + "Last": 22 + } + }, + { + "IP": "fd7a:115c:a1e0::5137:ae15", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.119.241.111", + "Ports": { + "First": 22, + "Last": 22 + } + }, + { + "IP": "fd7a:115c:a1e0::3337:f16f", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.92.142.61", + "Ports": { + "First": 22, + "Last": 22 + } + }, + { + "IP": "fd7a:115c:a1e0::3e37:8e3d", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-i4_ipv6_specific_acl.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i4_ipv6_specific_acl.json new file mode 100644 index 00000000..38195910 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i4_ipv6_specific_acl.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-i4_ipv6_specific_acl", + "timestamp": "2026-03-17T16:24:59Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_i4_ipv6_specific_acl.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["fd00:1::/64:443"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-i5_ipv6_parent_child_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i5_ipv6_parent_child_routes.json new file mode 100644 index 00000000..2c75e750 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i5_ipv6_parent_child_routes.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-i5_ipv6_parent_child_routes", + "timestamp": "2026-03-17T16:25:09Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_i5_ipv6_parent_child_routes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["fd00:1:2::/80:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-i6_dual_stack_node.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i6_dual_stack_node.json new file mode 100644 index 00000000..185e7116 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i6_dual_stack_node.json @@ -0,0 +1,209 @@ +{ + "test_id": "ROUTES-i6_dual_stack_node", + "timestamp": "2026-03-17T16:25:20Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_i6_dual_stack_node.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:*"] + }, + { + "action": "accept", + "src": ["*"], + "dst": ["fd00:1::/64:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-i7_ipv6_exit_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i7_ipv6_exit_coverage.json new file mode 100644 index 00000000..d4539ac0 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-i7_ipv6_exit_coverage.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-i7_ipv6_exit_coverage", + "timestamp": "2026-03-17T16:25:31Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_i7_ipv6_exit_coverage.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["2001:db8::/32:443"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o10_acl_dest_covered_by_multiple.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o10_acl_dest_covered_by_multiple.json new file mode 100644 index 00000000..1f06fdd5 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o10_acl_dest_covered_by_multiple.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-o10_acl_dest_covered_by_multiple", + "timestamp": "2026-03-17T16:25:41Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o10_acl_dest_covered_by_multiple.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.1.0/24:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o11_acl_dest_not_covered.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o11_acl_dest_not_covered.json new file mode 100644 index 00000000..7a7347c3 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o11_acl_dest_not_covered.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-o11_acl_dest_not_covered", + "timestamp": "2026-03-17T16:25:52Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o11_acl_dest_not_covered.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["192.168.99.0/24:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o12_filter_dest_is_acl_cidr.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o12_filter_dest_is_acl_cidr.json new file mode 100644 index 00000000..5d560eb8 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o12_filter_dest_is_acl_cidr.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-o12_filter_dest_is_acl_cidr", + "timestamp": "2026-03-17T16:26:03Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o12_filter_dest_is_acl_cidr.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.1.0/24:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o1_overlapping_routes_not_merged.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o1_overlapping_routes_not_merged.json new file mode 100644 index 00000000..15820382 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o1_overlapping_routes_not_merged.json @@ -0,0 +1,414 @@ +{ + "test_id": "ROUTES-o1_overlapping_routes_not_merged", + "timestamp": "2026-03-17T16:26:13Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o1_overlapping_routes_not_merged.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o2_ha_routers_both_get_filter.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o2_ha_routers_both_get_filter.json new file mode 100644 index 00000000..6a5af3e7 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o2_ha_routers_both_get_filter.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-o2_ha_routers_both_get_filter", + "timestamp": "2026-03-17T16:26:24Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o2_ha_routers_both_get_filter.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o3_parent_child_different_nodes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o3_parent_child_different_nodes.json new file mode 100644 index 00000000..5911c08c --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o3_parent_child_different_nodes.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-o3_parent_child_different_nodes", + "timestamp": "2026-03-17T16:26:34Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o3_parent_child_different_nodes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.1.0/24:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o4_three_way_hierarchy.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o4_three_way_hierarchy.json new file mode 100644 index 00000000..05fada14 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o4_three_way_hierarchy.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-o4_three_way_hierarchy", + "timestamp": "2026-03-17T16:26:45Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o4_three_way_hierarchy.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.1.128/25:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.128/25", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.128/25", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o5_sibling_routes_with_parent_acl.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o5_sibling_routes_with_parent_acl.json new file mode 100644 index 00000000..41497386 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o5_sibling_routes_with_parent_acl.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-o5_sibling_routes_with_parent_acl", + "timestamp": "2026-03-17T16:26:56Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o5_sibling_routes_with_parent_acl.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.0.0.0/8:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.0.0.0/8", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.0.0.0/8", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o6_exit_route_expands_filter_dist.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o6_exit_route_expands_filter_dist.json new file mode 100644 index 00000000..73ac8f83 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o6_exit_route_expands_filter_dist.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-o6_exit_route_expands_filter_dist", + "timestamp": "2026-03-17T16:27:06Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o6_exit_route_expands_filter_dist.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["8.8.8.0/24:53"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o7_specific_ip_targeting.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o7_specific_ip_targeting.json new file mode 100644 index 00000000..c952cb5e --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o7_specific_ip_targeting.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-o7_specific_ip_targeting", + "timestamp": "2026-03-17T16:27:17Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o7_specific_ip_targeting.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.100/32:80"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.100", + "Ports": { + "First": 80, + "Last": 80 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.100", + "Ports": { + "First": 80, + "Last": 80 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o8_same_node_overlapping_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o8_same_node_overlapping_routes.json new file mode 100644 index 00000000..50ff4a0b --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o8_same_node_overlapping_routes.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-o8_same_node_overlapping_routes", + "timestamp": "2026-03-17T16:27:28Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o8_same_node_overlapping_routes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-o9_different_nodes_same_route.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o9_different_nodes_same_route.json new file mode 100644 index 00000000..6f3487f6 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-o9_different_nodes_same_route.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-o9_different_nodes_same_route", + "timestamp": "2026-03-17T16:27:38Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_o9_different_nodes_same_route.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["autogroup:member"], + "dst": ["192.168.1.0/24:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.103.90.82", + "100.110.121.96", + "100.90.199.68", + "fd7a:115c:a1e0::1737:7960", + "fd7a:115c:a1e0::2d01:c747", + "fd7a:115c:a1e0::9e37:5a52" + ], + "DstPorts": [ + { + "IP": "192.168.1.0/24", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-r1_exit_covers_external_dest.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r1_exit_covers_external_dest.json new file mode 100644 index 00000000..d57387bd --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r1_exit_covers_external_dest.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-r1_exit_covers_external_dest", + "timestamp": "2026-03-17T16:27:49Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_r1_exit_covers_external_dest.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["8.8.8.0/24:53"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-r2_parent_route_covers_child_dest.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r2_parent_route_covers_child_dest.json new file mode 100644 index 00000000..949d5e6f --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r2_parent_route_covers_child_dest.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-r2_parent_route_covers_child_dest", + "timestamp": "2026-03-17T16:27:59Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_r2_parent_route_covers_child_dest.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.1.0/24:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-r3_sibling_routes_no_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r3_sibling_routes_no_coverage.json new file mode 100644 index 00000000..5b07d60f --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r3_sibling_routes_no_coverage.json @@ -0,0 +1,183 @@ +{ + "test_id": "ROUTES-r3_sibling_routes_no_coverage", + "timestamp": "2026-03-17T16:28:10Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_r3_sibling_routes_no_coverage.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.34.0.0/16:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.34.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-r4_exact_match_route.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r4_exact_match_route.json new file mode 100644 index 00000000..e35066d5 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r4_exact_match_route.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-r4_exact_match_route", + "timestamp": "2026-03-17T16:28:21Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_r4_exact_match_route.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-r5_route_coverage_check_logic.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r5_route_coverage_check_logic.json new file mode 100644 index 00000000..6ed33318 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r5_route_coverage_check_logic.json @@ -0,0 +1,204 @@ +{ + "test_id": "ROUTES-r5_route_coverage_check_logic", + "timestamp": "2026-03-17T16:28:31Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_r5_route_coverage_check_logic.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.1.0/24:22"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.1.0/24", + "Ports": { + "First": 22, + "Last": 22 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-r6_ipv6_route_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r6_ipv6_route_coverage.json new file mode 100644 index 00000000..69ba9e54 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r6_ipv6_route_coverage.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-r6_ipv6_route_coverage", + "timestamp": "2026-03-17T16:28:42Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_r6_ipv6_route_coverage.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["fd7a:115c:a1e0::1/128:443"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-r7_exit_ipv6_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r7_exit_ipv6_coverage.json new file mode 100644 index 00000000..df313669 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r7_exit_ipv6_coverage.json @@ -0,0 +1,162 @@ +{ + "test_id": "ROUTES-r7_exit_ipv6_coverage", + "timestamp": "2026-03-17T16:28:53Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_r7_exit_ipv6_coverage.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["2001:db8::1/128:443"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-r8_mixed_ipv4_ipv6_coverage.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r8_mixed_ipv4_ipv6_coverage.json new file mode 100644 index 00000000..a6bf9586 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-r8_mixed_ipv4_ipv6_coverage.json @@ -0,0 +1,428 @@ +{ + "test_id": "ROUTES-r8_mixed_ipv4_ipv6_coverage", + "timestamp": "2026-03-17T16:29:03Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_r8_mixed_ipv4_ipv6_coverage.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["10.33.0.0/16:*", "fd7a:115c:a1e0::/64:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "10.33.0.0/16", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "fd7a:115c:a1e0::/64", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-t1_tags_resolve_to_ips_not_routes.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t1_tags_resolve_to_ips_not_routes.json new file mode 100644 index 00000000..5670c46b --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t1_tags_resolve_to_ips_not_routes.json @@ -0,0 +1,243 @@ +{ + "test_id": "ROUTES-t1_tags_resolve_to_ips_not_routes", + "timestamp": "2026-03-17T16:29:14Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_t1_tags_resolve_to_ips_not_routes.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:router"], + "dst": ["tag:router:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "100.97.174.21", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::5137:ae15", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "100.119.241.111", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3337:f16f", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "100.92.142.61", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3e37:8e3d", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-t2_tag_to_tag_with_exit.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t2_tag_to_tag_with_exit.json new file mode 100644 index 00000000..a3199340 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t2_tag_to_tag_with_exit.json @@ -0,0 +1,202 @@ +{ + "test_id": "ROUTES-t2_tag_to_tag_with_exit", + "timestamp": "2026-03-17T16:29:24Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_t2_tag_to_tag_with_exit.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:exit"], + "dst": ["tag:exit:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "100.85.66.106", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::7c37:426a", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": ["100.119.241.111", "100.85.66.106", "fd7a:115c:a1e0::3337:f16f", "fd7a:115c:a1e0::7c37:426a"], + "DstPorts": [ + { + "IP": "100.119.241.111", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3337:f16f", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-t3_tag_src_includes_all_tagged.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t3_tag_src_includes_all_tagged.json new file mode 100644 index 00000000..2a9aa8d1 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t3_tag_src_includes_all_tagged.json @@ -0,0 +1,402 @@ +{ + "test_id": "ROUTES-t3_tag_src_includes_all_tagged", + "timestamp": "2026-03-17T16:29:35Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_t3_tag_src_includes_all_tagged.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:router"], + "dst": ["*:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-client": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-prod": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "tagged-server": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-kris": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user-mon": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "user1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "*", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-t4_tag_dst_includes_all_tagged.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t4_tag_dst_includes_all_tagged.json new file mode 100644 index 00000000..d937f639 --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t4_tag_dst_includes_all_tagged.json @@ -0,0 +1,218 @@ +{ + "test_id": "ROUTES-t4_tag_dst_includes_all_tagged", + "timestamp": "2026-03-17T16:29:46Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_t4_tag_dst_includes_all_tagged.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["*"], + "dst": ["tag:ha:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": null + }, + "ha-router1": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.121.186.70", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::6737:ba46", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router2": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "10.0.0.0/8", + "10.33.0.0/16", + "100.115.94.0-100.127.255.255", + "100.64.0.0-100.115.91.255", + "172.16.0.0/24", + "192.168.1.0/24", + "fd7a:115c:a1e0::/48" + ], + "DstPorts": [ + { + "IP": "100.117.104.82", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::7437:6852", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "multi-router": { + "packet_filter_rules": null + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +} diff --git a/hscontrol/policy/v2/testdata/routes_results/ROUTES-t5_multi_tag_node_in_both.json b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t5_multi_tag_node_in_both.json new file mode 100644 index 00000000..40743abd --- /dev/null +++ b/hscontrol/policy/v2/testdata/routes_results/ROUTES-t5_multi_tag_node_in_both.json @@ -0,0 +1,216 @@ +{ + "test_id": "ROUTES-t5_multi_tag_node_in_both", + "timestamp": "2026-03-17T16:29:56Z", + "propagation_wait_seconds": 10, + "input": { + "policy_file": "routes_policies/routes_t5_multi_tag_node_in_both.json", + "full_policy": { + "groups": { + "group:admins": ["kratail2tid@passkey"], + "group:developers": ["kristoffer@dalby.cc", "kratail2tid@passkey"], + "group:monitors": ["monitorpasskeykradalby@passkey"], + "group:empty": [] + }, + "tagOwners": { + "tag:server": ["kratail2tid@passkey"], + "tag:prod": ["kratail2tid@passkey"], + "tag:client": ["kratail2tid@passkey"], + "tag:router": ["kratail2tid@passkey"], + "tag:exit": ["kratail2tid@passkey"], + "tag:ha": ["kratail2tid@passkey"] + }, + "hosts": { + "webserver": "100.108.74.26", + "prodbox": "100.103.8.15", + "internal": "10.0.0.0/8", + "subnet24": "192.168.1.0/24" + }, + "autoApprovers": { + "routes": { + "10.0.0.0/8": ["tag:router"], + "172.16.0.0/12": ["tag:router"], + "192.168.0.0/16": ["tag:ha"], + "0.0.0.0/0": ["tag:exit"], + "::/0": ["tag:exit"] + } + }, + "acls": [ + { + "action": "accept", + "src": ["tag:router"], + "dst": ["tag:exit:*"] + } + ] + }, + "api_endpoint": "https://api.tailscale.com/api/v2/tailnet/kratail2tid%40passkey/acl", + "api_response_code": 200 + }, + "topology": { + "nodes": { + "big-router": { + "hostname": "big-router", + "tags": ["tag:router"], + "ipv4": "100.97.174.21", + "ipv6": "fd7a:115c:a1e0::5137:ae15" + }, + "exit-node": { + "hostname": "exit-node", + "tags": ["tag:exit"], + "ipv4": "100.85.66.106", + "ipv6": "fd7a:115c:a1e0::7c37:426a" + }, + "ha-router1": { + "hostname": "ha-router1", + "tags": ["tag:ha"], + "ipv4": "100.121.186.70", + "ipv6": "fd7a:115c:a1e0::6737:ba46" + }, + "ha-router2": { + "hostname": "ha-router2", + "tags": ["tag:ha"], + "ipv4": "100.117.104.82", + "ipv6": "fd7a:115c:a1e0::7437:6852" + }, + "multi-router": { + "hostname": "multi-router", + "tags": ["tag:exit", "tag:router"], + "ipv4": "100.119.241.111", + "ipv6": "fd7a:115c:a1e0::3337:f16f" + }, + "subnet-router": { + "hostname": "subnet-router", + "tags": ["tag:router"], + "ipv4": "100.92.142.61", + "ipv6": "fd7a:115c:a1e0::3e37:8e3d" + }, + "tagged-client": { + "hostname": "tagged-client", + "tags": ["tag:client"], + "ipv4": "100.83.200.69", + "ipv6": "fd7a:115c:a1e0::c537:c845" + }, + "tagged-prod": { + "hostname": "tagged-prod", + "tags": ["tag:prod"], + "ipv4": "100.103.8.15", + "ipv6": "fd7a:115c:a1e0::5b37:80f" + }, + "tagged-server": { + "hostname": "tagged-server", + "tags": ["tag:server"], + "ipv4": "100.108.74.26", + "ipv6": "fd7a:115c:a1e0::b901:4a87" + }, + "user-kris": { + "hostname": "user-kris", + "tags": [], + "ipv4": "100.110.121.96", + "ipv6": "fd7a:115c:a1e0::1737:7960" + }, + "user-mon": { + "hostname": "user-mon", + "tags": [], + "ipv4": "100.103.90.82", + "ipv6": "fd7a:115c:a1e0::9e37:5a52" + }, + "user1": { + "hostname": "user1", + "tags": [], + "ipv4": "100.90.199.68", + "ipv6": "fd7a:115c:a1e0::2d01:c747" + } + } + }, + "captures": { + "big-router": { + "packet_filter_rules": null + }, + "exit-node": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "100.85.66.106", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::7c37:426a", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "ha-router1": { + "packet_filter_rules": null + }, + "ha-router2": { + "packet_filter_rules": null + }, + "multi-router": { + "packet_filter_rules": [ + { + "SrcIPs": [ + "100.119.241.111", + "100.92.142.61", + "100.97.174.21", + "fd7a:115c:a1e0::3337:f16f", + "fd7a:115c:a1e0::3e37:8e3d", + "fd7a:115c:a1e0::5137:ae15" + ], + "DstPorts": [ + { + "IP": "100.119.241.111", + "Ports": { + "First": 0, + "Last": 65535 + } + }, + { + "IP": "fd7a:115c:a1e0::3337:f16f", + "Ports": { + "First": 0, + "Last": 65535 + } + } + ] + } + ] + }, + "subnet-router": { + "packet_filter_rules": null + }, + "tagged-client": { + "packet_filter_rules": null + }, + "tagged-prod": { + "packet_filter_rules": null + }, + "tagged-server": { + "packet_filter_rules": null + }, + "user-kris": { + "packet_filter_rules": null + }, + "user-mon": { + "packet_filter_rules": null + }, + "user1": { + "packet_filter_rules": null + } + } +}