mirror of
https://github.com/juanfont/headscale.git
synced 2026-04-10 19:17:25 +02:00
162e1dc35b
Replace the headscale-adapted ACL golden files with authoritative captures from Tailscale SaaS using the 8-node grant topology. The golden data was captured via debug-packet-filter-rules (FilterRule wire format) from each of the 8 nodes after pushing each ACL policy to the Tailscale API. This gives us the exact format Tailscale sends to clients: - SrcIPs use IP ranges (100.64.0.0-100.115.91.255) not CIDRs - SrcIPs include subnet routes (10.33.0.0/16) for wildcard sources - IPProto is omitted for default all-protocol rules - DstPorts use bare IPs without /32 suffix - Identity aliases include both IPv4 and IPv6 addresses The test driver is updated to use the 8-node topology (3 users, 5 tagged nodes) matching the grant compat tests, with the same email conversion (kratail2tid@passkey -> @example.com). 215 test cases: 199 success + 16 error (captured from API 400s). All captured from Tailscale SaaS, no headscale-adapted values. Updates #2180