diff --git a/server/testutil/testnetworking/BUILD b/server/testutil/testnetworking/BUILD index 38c5b10b539..ca373c267fe 100644 --- a/server/testutil/testnetworking/BUILD +++ b/server/testutil/testnetworking/BUILD @@ -6,5 +6,8 @@ go_library( srcs = ["testnetworking.go"], importpath = "github.com/buildbuddy-io/buildbuddy/server/testutil/testnetworking", visibility = ["//visibility:public"], - deps = ["@com_github_stretchr_testify//require"], + deps = [ + "//server/util/networking", + "@com_github_stretchr_testify//require", + ], ) diff --git a/server/testutil/testnetworking/testnetworking.go b/server/testutil/testnetworking/testnetworking.go index 3fb238e72c5..a343c1efa75 100644 --- a/server/testutil/testnetworking/testnetworking.go +++ b/server/testutil/testnetworking/testnetworking.go @@ -1,11 +1,13 @@ package testnetworking import ( + "context" "os" "os/exec" "strings" "testing" + "github.com/buildbuddy-io/buildbuddy/server/util/networking" "github.com/stretchr/testify/require" ) @@ -33,4 +35,8 @@ func Setup(t *testing.T) { os.WriteFile("/proc/sys/net/ipv4/ip_forward", []byte("1"), 0) require.NoError(t, err, "enable IPv4 forwarding") } + + // Set up default hostNetAllocator + err = networking.Configure(context.Background()) + require.NoError(t, err) } diff --git a/server/util/networking/networking.go b/server/util/networking/networking.go index 18dc408badc..a2b42f0e3ff 100644 --- a/server/util/networking/networking.go +++ b/server/util/networking/networking.go @@ -618,6 +618,7 @@ func setupVethPair(ctx context.Context, netns *Namespace) (_ *vethPair, err erro } for _, r := range PrivateIPRanges { iptablesRules = append(iptablesRules, []string{"FORWARD", "-i", vp.hostDevice, "-d", r, "-j", "REJECT"}) + iptablesRules = append(iptablesRules, []string{"INPUT", "-i", vp.hostDevice, "-d", r, "-j", "REJECT"}) } for _, rule := range iptablesRules { diff --git a/server/util/networking/networking_test.go b/server/util/networking/networking_test.go index e722b724f5b..d9012eb37bd 100644 --- a/server/util/networking/networking_test.go +++ b/server/util/networking/networking_test.go @@ -89,8 +89,6 @@ func TestHostNetAllocator(t *testing.T) { func TestConcurrentSetupAndCleanup(t *testing.T) { ctx := context.Background() - err := networking.Configure(ctx) - require.NoError(t, err) testnetworking.Setup(t) eg, gCtx := errgroup.WithContext(ctx) @@ -113,7 +111,7 @@ func TestConcurrentSetupAndCleanup(t *testing.T) { return nil }) } - err = eg.Wait() + err := eg.Wait() require.NoError(t, err) } @@ -128,6 +126,9 @@ func TestContainerNetworking(t *testing.T) { err = networking.EnableMasquerading(ctx) require.NoError(t, err) + defaultIP, err := networking.DefaultIP(ctx) + require.NoError(t, err) + c1 := createContainerNetwork(ctx, t) c2 := createContainerNetwork(ctx, t) @@ -146,11 +147,12 @@ func TestContainerNetworking(t *testing.T) { netnsExec(t, c1.NamespacePath(), `echo 'Pinging c1' && if ping -c 1 -W 1 `+c2.HostNetwork().NamespacedIP()+` ; then exit 1; fi`) netnsExec(t, c2.NamespacePath(), `echo 'Pinging c2' && if ping -c 1 -W 1 `+c1.HostNetwork().NamespacedIP()+` ; then exit 1; fi`) + // Containers should not be able to reach the default interface IP. + netnsExec(t, c1.NamespacePath(), `if ping -c 1 -W 1 `+defaultIP.String()+` ; then exit 1; fi`) + // Compute an IP that is likely on the same network as the default route IP, // e.g. if the default gateway IP is 192.168.0.1 then we want something like // 192.168.0.2 here. - defaultIP, err := networking.DefaultIP(ctx) - require.NoError(t, err) ipOnDefaultNet := net.IP(append([]byte{}, defaultIP...)) ipOnDefaultNet[3] = byte((int(ipOnDefaultNet[3])+1)%255 + 1)