diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..522cce8
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,7 @@
+.PHONY: testdata
+testdata:
+	go run . \
+		-f testdata/input-parent.hujson \
+		-d testdata/departments/ \
+		-o testdata/output-file-to-compare-to.hujson \
+		-allow=acls,grants,groups,ipsets,ssh,tests
\ No newline at end of file
diff --git a/main.go b/main.go
index ba2e41e..62b776b 100644
--- a/main.go
+++ b/main.go
@@ -30,6 +30,7 @@ var (
 		"extraDNSRecords": handleArray(),
 		"grants":          handleArray(),
 		"groups":          handleObject(),
+		"ipsets":          handleObject(),
 		"nodeAttrs":       handleArray(), // TODO: need to merge anything?
 		"postures":        handleObject(),
 		"ssh":             handleArray(),
diff --git a/testdata/departments/finance/ipsets.hujson b/testdata/departments/finance/ipsets.hujson
new file mode 100644
index 0000000..8b5ca9d
--- /dev/null
+++ b/testdata/departments/finance/ipsets.hujson
@@ -0,0 +1,5 @@
+{
+    "ipsets": {
+        "ipset:finance": ["192.0.2.1"],
+    },
+}
\ No newline at end of file
diff --git a/testdata/input-parent.hujson b/testdata/input-parent.hujson
index 2c9f5a1..ac18752 100644
--- a/testdata/input-parent.hujson
+++ b/testdata/input-parent.hujson
@@ -63,4 +63,8 @@
 		"tag:dave": [],
 		"tag:jane": [],
 	},
+
+	"ipsets": {
+		"ipset:parent": ["192.0.2.0"],
+	},
 }
diff --git a/testdata/output-file-to-compare-to.hujson b/testdata/output-file-to-compare-to.hujson
index b994ae5..1bd8b9e 100644
--- a/testdata/output-file-to-compare-to.hujson
+++ b/testdata/output-file-to-compare-to.hujson
@@ -1,8 +1,9 @@
 {
+  // from `testdata/input-parent.hujson`
   "RandomizeClientPort": true, // inline comment
 
   "acls": [
-    // from testdata/departments/engineering/acls.hujson
+    // from `testdata/input-parent.hujson`
     {
       // engineering1
       "action": "accept",
@@ -27,14 +28,14 @@
       "dst":        ["tag:demo-infra:22"],
       "srcPosture": ["posture:latestMac"],
     },
-    // from testdata/departments/engineering/acls.json
+    // from `testdata/departments/engineering/acls.json`
     {
       "action":     "accept",
       "src":        ["json-rule@tsjustworks.net"],
       "dst":        ["tag:json-rule:22"],
       "srcPosture": ["posture:latestMac"],
     },
-    // from testdata/departments/finance/acls.hujson
+    // from `testdata/departments/finance/acls.hujson`
     {
       // finance1
       "action": "accept",
@@ -51,6 +52,7 @@
     },
   ],
 
+  // from `testdata/input-parent.hujson`
   "extraDNSRecords": [
     {
       "Name":  "exra.dns.records",
@@ -59,7 +61,7 @@
   ],
 
   "grants": [
-    // from testdata/departments/engineering/grants.hujson
+    // from `testdata/departments/engineering/grants.hujson`
     {
       //"src": ["group:prod"],
       "src": ["allen@tsjustworks.net"],
@@ -70,15 +72,25 @@
   ],
 
   "groups": {
+    // from `testdata/input-parent.hujson`
     "group:parent": ["from-parent"],
 
-    // from testdata/departments/engineering/groups.hujson
+    // from `testdata/departments/engineering/groups.hujson`
     "group:group1": ["cameron@tsjustworks.net"],
 
-    // from testdata/departments/finance/acls.hujson
+    // from `testdata/departments/finance/acls.hujson`
     "group:group2": ["allen@tsjustworks.net"],
   },
 
+  "ipsets": {
+    // from `testdata/input-parent.hujson`
+    "ipset:parent": ["192.0.2.0"],
+
+    // from `testdata/departments/finance/ipsets.hujson`
+    "ipset:parent": ["192.0.2.1"],
+  },
+
+  // from `testdata/input-parent.hujson`
   "nodeAttrs": [
     {
       "target": ["*"],
@@ -105,23 +117,25 @@
     },
   ],
 
+  // from `testdata/input-parent.hujson`
   "postures": {"posture:latestMac": ["node:os IN ['macos', 'linux']","node:tsReleaseTrack == 'stable'","node:tsVersion >= '1.40'"]},
 
   "ssh": [
+    // from `testdata/input-parent.hujson`
     {
       "action": "accept",
       "src":    ["autogroup:member"],
       "dst":    ["autogroup:self"],
       "users":  ["root", "autogroup:nonroot"],
     },
-    // from testdata/departments/engineering/acls.hujson
+    // from `testdata/departments/engineering/acls.hujson`
     {
       "action": "accept",
       "src":    ["group:finance"],
       "dst":    ["autogroup:self"],
       "users":  ["root", "autogroup:nonroot"],
     },
-    // from testdata/departments/finance/ssh.hujson
+    // from `testdata/departments/finance/ssh.hujson`
     {
       "action": "accept",
       "src":    ["autogroup:member"],
@@ -136,6 +150,7 @@
     },
   ],
 
+  // from `testdata/input-parent.hujson`
   "tagOwners": {
     "tag:parent":  [],
     "tag:cameron": ["autogroup:member"],
@@ -144,12 +159,12 @@
   },
 
   "tests": [
-    // from testdata/departments/engineering/acls.hujson
+    // from `testdata/input-parent.hujson`
     {
       "src":    "cameron@example.com",
       "accept": ["tag:cameron:22"],
     },
-    // from testdata/departments/finance/acls.hujson
+    // from `testdata/departments/finance/acls.hujson`
     {
       "src":             "dave@example.com",
       "srcPostureAttrs": {"node:os": "windows"},