Mirrors/juanfont.headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-02-07 20:04:00 +01:00
Code Issues Projects Releases Wiki Activity

docs: add compatibility test documentation

Browse Source 
Updates #3036
This commit is contained in:
Kristoffer Dalby 2026-01-23 20:58:38 +00:00
parent 73bf7f5b29
commit 56b67ca372
2 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGELOG.md
View File

@ -2,6 +2,13 @@
## 0.29.0 (202x-xx-xx)
### Tailscale ACL compatibility improvements
Extensive test cases were systematically generated using Tailscale clients and the official SaaS
to understand how the packet filter should be generated. We discovered a few differences, but
overall our implementation was very close.
[#3036](https://github.com/juanfont/headscale/pull/3036)
### BREAKING
- **ACL Policy**: Wildcard (`*`) in ACL sources and destinations now resolves to Tailscale's CGNAT range (`100.64.0.0/10`) and ULA range (`fd7a:115c:a1e0::/48`) instead of all IPs (`0.0.0.0/0` and `::/0`) [#3036](https://github.com/juanfont/headscale/pull/3036)

23
hscontrol/policy/v2/tailscale_compat_test.go
View File

@ -1,13 +1,18 @@
// Copyright (c) Tailscale Inc & AUTHORS
// Copyright (c) Headscale AUTHORS
// SPDX-License-Identifier: BSD-3-Clause
// tailscale_compat_test.go contains tests that verify Headscale's ACL-to-PacketFilter
// translation matches Tailscale's behavior. These tests are derived from empirical
// observations of Tailscale's actual filter generation.
// This file is "generated" by Claude.
// It contains a large set of input ACL/Policy JSON configurations that
// the AI agent has systematically applied to a Tailnet on Tailscale SaaS
// and then observed the individual clients connected to the Tailnet
// with a given policy and recorded the resulting Packet filter rules sent
// to the clients.
//
// Test data source: https://github.com/kradalby/acl-explore/findings/
// There is likely a lot of duplicate or overlapping tests, however, the main
// exercise of this work was to create a comperehensive test set for comparing
// the behaviour of our policy engine and the upstream one.
//
// We aim to keep these tests to make sure we do not regress as we evolve
// and improve our policy implementation.
// This file is NOT intended for developer/humans to change and should be
// consider a "black box" test suite.
package v2
import (