integration: add custom subnet support and fix exit node tests

Add NetworkSpec struct with optional Subnet field to ScenarioSpec.Networks. When Subnet is set, the Docker network is created with that specific CIDR instead of Docker's auto-assigned RFC1918 range. Fix all exit node integration tests to use curl + traceroute. Tailscale exit nodes strip locally-connected subnets from their forwarding filter (shrinkDefaultRoute + localInterfaceRoutes), so exit nodes cannot forward to IPs on their Docker network via the default route alone. This is by design: exit nodes provide internet access, not LAN access. To also get LAN access, the subnet must be explicitly advertised as a route — matching real-world Tailscale deployment requirements. - TestSubnetRouterMultiNetworkExitNode: advertise usernet1 subnet alongside exit route, upgraded from ping to curl + traceroute - TestGrantViaExitNodeSteering: usernet1 subnet in via grants and auto-approvers alongside autogroup:internet - TestGrantViaMixedSteering: externet subnet in auto-approvers and route advertisement for exit traffic Updates #2180
2026-04-10 11:14:21 +02:00 · 2026-03-26 21:33:48 +00:00
parent 0431039f2a
commit bca6e6334d
5 changed files with 95 additions and 58 deletions
--- a/integration/dockertestutil/network.go
+++ b/integration/dockertestutil/network.go
@@ -14,13 +14,33 @@ import (
 var ErrContainerNotFound = errors.New("container not found")

 func GetFirstOrCreateNetwork(pool *dockertest.Pool, name string) (*dockertest.Network, error) {
+	return GetFirstOrCreateNetworkWithSubnet(pool, name, "")
+}
+
+// GetFirstOrCreateNetworkWithSubnet creates a Docker network with an optional
+// custom subnet. When subnet is empty, Docker auto-assigns from its default
+// pool. Use RFC 5737 TEST-NET ranges (e.g. "198.51.100.0/24") for networks
+// that need to be reachable through Tailscale exit nodes, since Tailscale's
+// shrinkDefaultRoute strips RFC1918 ranges from exit node forwarding filters.
+func GetFirstOrCreateNetworkWithSubnet(pool *dockertest.Pool, name, subnet string) (*dockertest.Network, error) {
 	networks, err := pool.NetworksByName(name)
 	if err != nil {
 		return nil, fmt.Errorf("looking up network names: %w", err)
 	}

 	if len(networks) == 0 {
-		if _, err := pool.CreateNetwork(name); err == nil { //nolint:noinlineerr // intentional inline check
+		var opts []func(*docker.CreateNetworkOptions)
+		if subnet != "" {
+			opts = append(opts, func(config *docker.CreateNetworkOptions) {
+				config.IPAM = &docker.IPAMOptions{
+					Config: []docker.IPAMConfig{
+						{Subnet: subnet},
+					},
+				}
+			})
+		}
+
+		if _, err := pool.CreateNetwork(name, opts...); err == nil { //nolint:noinlineerr // intentional inline check
 			// Create does not give us an updated version of the resource, so we need to
 			// get it again.
 			networks, err := pool.NetworksByName(name)