policy: include IPv6 in identity-based alias resolution

AppendToIPSet now adds both IPv4 and IPv6 addresses for nodes, matching Tailscale's FilterRule wire format where identity-based aliases (tags, users, groups, autogroups) resolve to both address families. Update ReduceFilterRules test expectations to include IPv6 entries. Updates #2180
2026-04-28 19:47:22 +02:00 · 2026-03-18 10:24:30 +00:00
parent 500442c8f1
commit 93d79d8da9
4 changed files with 60 additions and 238 deletions
--- a/hscontrol/policy/policyutil/reduce_test.go
+++ b/hscontrol/policy/policyutil/reduce_test.go
@@ -209,12 +209,17 @@ func TestReduceFilterRules(t *testing.T) {
 				{
 					SrcIPs: []string{
 						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
 					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.1",
 							Ports: tailcfg.PortRangeAny,
 						},
+						{
+							IP:    "fd7a:115c:a1e0::1",
+							Ports: tailcfg.PortRangeAny,
+						},
 						{
 							IP:    "10.33.0.0/16",
 							Ports: tailcfg.PortRangeAny,
@@ -347,7 +352,10 @@ func TestReduceFilterRules(t *testing.T) {
 				// autogroup:internet does NOT generate packet filters - it's handled
 				// by exit node routing via AllowedIPs, not by packet filtering.
 				{
-					SrcIPs: []string{"100.64.0.1-100.64.0.2"},
+					SrcIPs: []string{
+						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
@@ -447,7 +455,10 @@ func TestReduceFilterRules(t *testing.T) {
 			want: []tailcfg.FilterRule{
 				// Merged: Both ACL rules combined (same SrcIPs)
 				{
-					SrcIPs: []string{"100.64.0.1-100.64.0.2"},
+					SrcIPs: []string{
+						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
@@ -549,7 +560,10 @@ func TestReduceFilterRules(t *testing.T) {
 			want: []tailcfg.FilterRule{
 				// Merged: Both ACL rules combined (same SrcIPs)
 				{
-					SrcIPs: []string{"100.64.0.1-100.64.0.2"},
+					SrcIPs: []string{
+						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
@@ -629,7 +643,10 @@ func TestReduceFilterRules(t *testing.T) {
 			want: []tailcfg.FilterRule{
 				// Merged: Both ACL rules combined (same SrcIPs)
 				{
-					SrcIPs: []string{"100.64.0.1-100.64.0.2"},
+					SrcIPs: []string{
+						"100.64.0.1-100.64.0.2",
+						"fd7a:115c:a1e0::1-fd7a:115c:a1e0::2",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
@@ -696,12 +713,19 @@ func TestReduceFilterRules(t *testing.T) {
 			},
 			want: []tailcfg.FilterRule{
 				{
-					SrcIPs: []string{"100.64.0.1"},
+					SrcIPs: []string{
+						"100.64.0.1",
+						"fd7a:115c:a1e0::1",
+					},
 					DstPorts: []tailcfg.NetPortRange{
 						{
 							IP:    "100.64.0.100",
 							Ports: tailcfg.PortRangeAny,
 						},
+						{
+							IP:    "fd7a:115c:a1e0::100",
+							Ports: tailcfg.PortRangeAny,
+						},
 						{
 							IP:    "172.16.0.21",
 							Ports: tailcfg.PortRangeAny,