Reject packets on INPUT chain too (#8346)

buildbuddy-io · Feb 7, 2025 · a933e22 · a933e22
1 parent 0cb44b4
commit a933e22
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 6 deletions.
diff --git a/server/testutil/testnetworking/BUILD b/server/testutil/testnetworking/BUILD
@@ -6,5 +6,8 @@ go_library(
     srcs = ["testnetworking.go"],
     importpath = "github.com/buildbuddy-io/buildbuddy/server/testutil/testnetworking",
     visibility = ["//visibility:public"],
-    deps = ["@com_github_stretchr_testify//require"],
+    deps = [
+        "//server/util/networking",
+        "@com_github_stretchr_testify//require",
+    ],
 )
diff --git a/server/testutil/testnetworking/testnetworking.go b/server/testutil/testnetworking/testnetworking.go
@@ -1,11 +1,13 @@
 package testnetworking
 
 import (
+	"context"
 	"os"
 	"os/exec"
 	"strings"
 	"testing"
 
+	"github.com/buildbuddy-io/buildbuddy/server/util/networking"
 	"github.com/stretchr/testify/require"
 )
 
@@ -33,4 +35,8 @@ func Setup(t *testing.T) {
 		os.WriteFile("/proc/sys/net/ipv4/ip_forward", []byte("1"), 0)
 		require.NoError(t, err, "enable IPv4 forwarding")
 	}
+
+	// Set up default hostNetAllocator
+	err = networking.Configure(context.Background())
+	require.NoError(t, err)
 }
diff --git a/server/util/networking/networking.go b/server/util/networking/networking.go
@@ -618,6 +618,7 @@ func setupVethPair(ctx context.Context, netns *Namespace) (_ *vethPair, err erro
 	}
 	for _, r := range PrivateIPRanges {
 		iptablesRules = append(iptablesRules, []string{"FORWARD", "-i", vp.hostDevice, "-d", r, "-j", "REJECT"})
+		iptablesRules = append(iptablesRules, []string{"INPUT", "-i", vp.hostDevice, "-d", r, "-j", "REJECT"})
 	}
 
 	for _, rule := range iptablesRules {

diff --git a/server/util/networking/networking_test.go b/server/util/networking/networking_test.go
@@ -89,8 +89,6 @@ func TestHostNetAllocator(t *testing.T) {
 
 func TestConcurrentSetupAndCleanup(t *testing.T) {
 	ctx := context.Background()
-	err := networking.Configure(ctx)
-	require.NoError(t, err)
 	testnetworking.Setup(t)
 
 	eg, gCtx := errgroup.WithContext(ctx)
@@ -113,7 +111,7 @@ func TestConcurrentSetupAndCleanup(t *testing.T) {
 			return nil
 		})
 	}
-	err = eg.Wait()
+	err := eg.Wait()
 	require.NoError(t, err)
 }
 
@@ -128,6 +126,9 @@ func TestContainerNetworking(t *testing.T) {
 	err = networking.EnableMasquerading(ctx)
 	require.NoError(t, err)
 
+	defaultIP, err := networking.DefaultIP(ctx)
+	require.NoError(t, err)
+
 	c1 := createContainerNetwork(ctx, t)
 	c2 := createContainerNetwork(ctx, t)
 
@@ -146,11 +147,12 @@ func TestContainerNetworking(t *testing.T) {
 	netnsExec(t, c1.NamespacePath(), `echo 'Pinging c1' && if ping -c 1 -W 1 `+c2.HostNetwork().NamespacedIP()+` ; then exit 1; fi`)
 	netnsExec(t, c2.NamespacePath(), `echo 'Pinging c2' && if ping -c 1 -W 1 `+c1.HostNetwork().NamespacedIP()+` ; then exit 1; fi`)
 
+	// Containers should not be able to reach the default interface IP.
+	netnsExec(t, c1.NamespacePath(), `if ping -c 1 -W 1 `+defaultIP.String()+` ; then exit 1; fi`)
+
 	// Compute an IP that is likely on the same network as the default route IP,
 	// e.g. if the default gateway IP is 192.168.0.1 then we want something like
 	// 192.168.0.2 here.
-	defaultIP, err := networking.DefaultIP(ctx)
-	require.NoError(t, err)
 	ipOnDefaultNet := net.IP(append([]byte{}, defaultIP...))
 	ipOnDefaultNet[3] = byte((int(ipOnDefaultNet[3])+1)%255 + 1)