policy: add tests to validate fix for 2181

Fixes #2181 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-08-10 13:46:46 +02:00 · 2025-05-02 16:30:21 +02:00 · 2025-05-02 16:30:21 +02:00 · fbd3049e89
commit fbd3049e89
parent 06c5390d89
1 changed files with 104 additions and 2 deletions
--- a/hscontrol/policy/policy_test.go
+++ b/hscontrol/policy/policy_test.go
@ -2,10 +2,11 @@ package policy

 import (
 	"fmt"
-	"github.com/juanfont/headscale/hscontrol/policy/matcher"
 	"net/netip"
 	"testing"

+	"github.com/juanfont/headscale/hscontrol/policy/matcher"
+
 	"github.com/google/go-cmp/cmp"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
@ -1370,7 +1371,6 @@ func TestFilterNodesByACL(t *testing.T) {
 				},
 			},
 		},
-
 		{
 			name: "subnet-router-with-only-route",
 			args: args{
@ -1422,6 +1422,108 @@ func TestFilterNodesByACL(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "subnet-router-with-only-route-smaller-mask-2181",
+			args: args{
+				nodes: []*types.Node{
+					{
+						ID:       1,
+						IPv4:     ap("100.64.0.1"),
+						Hostname: "router",
+						User:     types.User{Name: "router"},
+						Hostinfo: &tailcfg.Hostinfo{
+							RoutableIPs: []netip.Prefix{netip.MustParsePrefix("10.99.0.0/16")},
+						},
+						ApprovedRoutes: []netip.Prefix{netip.MustParsePrefix("10.99.0.0/16")},
+					},
+					{
+						ID:       2,
+						IPv4:     ap("100.64.0.2"),
+						Hostname: "node",
+						User:     types.User{Name: "node"},
+					},
+				},
+				rules: []tailcfg.FilterRule{
+					{
+						SrcIPs: []string{
+							"100.64.0.2/32",
+						},
+						DstPorts: []tailcfg.NetPortRange{
+							{IP: "10.99.0.2/32", Ports: tailcfg.PortRangeAny},
+						},
+					},
+				},
+				node: &types.Node{
+					ID:       1,
+					IPv4:     ap("100.64.0.1"),
+					Hostname: "router",
+					User:     types.User{Name: "router"},
+					Hostinfo: &tailcfg.Hostinfo{
+						RoutableIPs: []netip.Prefix{netip.MustParsePrefix("10.99.0.0/16")},
+					},
+					ApprovedRoutes: []netip.Prefix{netip.MustParsePrefix("10.99.0.0/16")},
+				},
+			},
+			want: []*types.Node{
+				{
+					ID:       2,
+					IPv4:     ap("100.64.0.2"),
+					Hostname: "node",
+					User:     types.User{Name: "node"},
+				},
+			},
+		},
+		{
+			name: "node-to-subnet-router-with-only-route-smaller-mask-2181",
+			args: args{
+				nodes: []*types.Node{
+					{
+						ID:       1,
+						IPv4:     ap("100.64.0.1"),
+						Hostname: "router",
+						User:     types.User{Name: "router"},
+						Hostinfo: &tailcfg.Hostinfo{
+							RoutableIPs: []netip.Prefix{netip.MustParsePrefix("10.99.0.0/16")},
+						},
+						ApprovedRoutes: []netip.Prefix{netip.MustParsePrefix("10.99.0.0/16")},
+					},
+					{
+						ID:       2,
+						IPv4:     ap("100.64.0.2"),
+						Hostname: "node",
+						User:     types.User{Name: "node"},
+					},
+				},
+				rules: []tailcfg.FilterRule{
+					{
+						SrcIPs: []string{
+							"100.64.0.2/32",
+						},
+						DstPorts: []tailcfg.NetPortRange{
+							{IP: "10.99.0.2/32", Ports: tailcfg.PortRangeAny},
+						},
+					},
+				},
+				node: &types.Node{
+					ID:       2,
+					IPv4:     ap("100.64.0.2"),
+					Hostname: "node",
+					User:     types.User{Name: "node"},
+				},
+			},
+			want: []*types.Node{
+				{
+					ID:       1,
+					IPv4:     ap("100.64.0.1"),
+					Hostname: "router",
+					User:     types.User{Name: "router"},
+					Hostinfo: &tailcfg.Hostinfo{
+						RoutableIPs: []netip.Prefix{netip.MustParsePrefix("10.99.0.0/16")},
+					},
+					ApprovedRoutes: []netip.Prefix{netip.MustParsePrefix("10.99.0.0/16")},
+				},
+			},
+		},
 	}

 	for _, tt := range tests {