integration/acl: fix TestACLPolicyPropagationOverTime infrastructure

Add embedded DERP server, TLS, and netfilter=off to match the
infrastructure configuration used by all other ACL integration tests.

Without these options, the test fails intermittently because traffic
routes through external DERP relays and iptables initialization fails
in Docker containers.

Updates #3139

integration/acl_test.go

@@ -1911,14 +1911,15 @@ func TestACLPolicyPropagationOverTime(t *testing.T) {
 
 	err = scenario.CreateHeadscaleEnv(
 		[]tsic.Option{
-			// Install iptables to enable packet filtering for ACL tests.
-			// Packet filters are essential for testing autogroup:self and other ACL policies.
-			tsic.WithPackages("curl", "iptables", "ip6tables"),
+			tsic.WithNetfilter("off"),
+			tsic.WithPackages("curl"),
 			tsic.WithWebserver(80),
 			tsic.WithDockerWorkdir("/"),
 		},
 		hsic.WithTestName("aclpropagation"),
 		hsic.WithPolicyMode(types.PolicyModeDB),
+		hsic.WithEmbeddedDERPServerOnly(),
+		hsic.WithTLS(),
 	)
 	require.NoError(t, err)