From ebc57d9a38a278c40092a3dc3162a10c80d7a58e Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Fri, 13 Mar 2026 13:43:16 +0000
Subject: [PATCH] integration/acl: fix TestACLPolicyPropagationOverTime
 infrastructure

Add embedded DERP server, TLS, and netfilter=off to match the
infrastructure configuration used by all other ACL integration tests.

Without these options, the test fails intermittently because traffic
routes through external DERP relays and iptables initialization fails
in Docker containers.

Updates #3139
---
 integration/acl_test.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/integration/acl_test.go b/integration/acl_test.go
index 36450332..87b016d1 100644
--- a/integration/acl_test.go
+++ b/integration/acl_test.go
@@ -1911,14 +1911,15 @@ func TestACLPolicyPropagationOverTime(t *testing.T) {
 
 	err = scenario.CreateHeadscaleEnv(
 		[]tsic.Option{
-			// Install iptables to enable packet filtering for ACL tests.
-			// Packet filters are essential for testing autogroup:self and other ACL policies.
-			tsic.WithPackages("curl", "iptables", "ip6tables"),
+			tsic.WithNetfilter("off"),
+			tsic.WithPackages("curl"),
 			tsic.WithWebserver(80),
 			tsic.WithDockerWorkdir("/"),
 		},
 		hsic.WithTestName("aclpropagation"),
 		hsic.WithPolicyMode(types.PolicyModeDB),
+		hsic.WithEmbeddedDERPServerOnly(),
+		hsic.WithTLS(),
 	)
 	require.NoError(t, err)