From ab7eefb9c9c070a4857f5035c7b82496ad6dd7d7 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Fri, 12 Sep 2025 11:25:38 +0200
Subject: [PATCH] policy: validate protocol and portnumber

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---
 hscontrol/policy/v2/types.go      |  5 +++++
 hscontrol/policy/v2/types_test.go | 18 +-----------------
 2 files changed, 6 insertions(+), 17 deletions(-)

diff --git a/hscontrol/policy/v2/types.go b/hscontrol/policy/v2/types.go
index c16c1349..e840c5c6 100644
--- a/hscontrol/policy/v2/types.go
+++ b/hscontrol/policy/v2/types.go
@@ -1720,6 +1720,11 @@ func (p *Policy) validate() error {
 				}
 			}
 		}
+
+		// Validate protocol-port compatibility
+		if err := validateProtocolPortCompatibility(acl.Protocol, acl.Destinations); err != nil {
+			errs = append(errs, err)
+		}
 	}
 
 	for _, ssh := range p.SSHs {
diff --git a/hscontrol/policy/v2/types_test.go b/hscontrol/policy/v2/types_test.go
index d47c8cf5..0d8c5059 100644
--- a/hscontrol/policy/v2/types_test.go
+++ b/hscontrol/policy/v2/types_test.go
@@ -352,20 +352,6 @@ func TestUnmarshalPolicy(t *testing.T) {
 			name: "2652-asterix-error-better-explain",
 			input: `
 {
-	"acls": [
-		{
-			"action": "accept",
-			"src": [
-				"*"
-			],
-			"dst": [
-				"*:*"
-			],
-			"proto": [
-				"*:*"
-			]
-		}
-	],
 	"ssh": [
 		{
 			"action": "accept",
@@ -375,9 +361,7 @@ func TestUnmarshalPolicy(t *testing.T) {
 			"dst": [
 				"*"
 			],
-			"proto": [
-				"*:*"
-			]
+			"users": ["root"]
 		}
 	]
 }