test: Ensure dns traffic from external source is dropped

Signed-off-by: Wesley Hershberger <[email protected]>
canonical · Apr 15, 2024 · 673da0d · 673da0d
1 parent 37f4aef
commit 673da0d
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/test/suites/container_devices_nic_bridged.sh b/test/suites/container_devices_nic_bridged.sh
@@ -732,6 +732,44 @@ test_container_devices_nic_bridged() {
   ! lxc start foo2 || false
   lxc delete -f foo foo2
 
+  # Ensure that dnsmasq is inaccessible from outside its managed bridge and the host lo
+  # This creates a new net namespace `testdns`, a bridge `testbr0`, and veths
+  # between; we need dns requests to come from an interface that isn't the
+  # lxd-managed bridge or the host's loopback, and `dig` doesn't let you specify
+  # the interface to use, only the source ip
+  testbr0Addr4=10.10.10.1
+  testbr0Addr6=fc00:feed:beef::1
+
+  ip link add veth_left type veth peer veth_right
+  ip link add testbr0 type bridge
+  ip link set testbr0 up
+  ip addr add "${testbr0Addr4}/24" dev testbr0
+  ip addr add "${testbr0Addr6}/64" dev testbr0
+  ip link set veth_left master testbr0 up
+
+  ip netns add testdns
+  ip link set dev veth_right netns testdns
+
+  ip netns exec testdns ip link set veth_right name eth0
+  ip netns exec testdns ip link set dev eth0 up
+  ip netns exec testdns ip addr add 10.10.10.2 dev eth0
+  ip netns exec testdns ip addr add fc00:feed:beef::2 dev eth0
+  ip netns exec testdns ip route add default via "${testbr0Addr4}"
+  ip netns exec testdns ip -6 route add defalt via "${testbr0Addr6}"
+
+  ip netns exec testdns ping -c 4 192.0.2.1
+  ip netns exec testdns ping -c 4 2001:db8::1
+
+  ! ip netns exec testdns dig -4 +retry=0 +notcp @192.0.2.1 "${ctName}.lxd"
+  ! ip netns exec testdns dig -6 +retry=0 +notcp @2001:db8::1 "${ctName}.lxd"
+  ! ip netns exec testdns dig -4 +retry=0 +tcp @192.0.2.1 "${ctName}.lxd"
+  ! ip netns exec testdns dig -6 +retry=0 +tcp @2001:db8::1 "${ctName}.lxd"
+
+  ip netns exec testdns ip link delete eth0
+  ip link delete testbr0
+  ip link delete veth_left
+  ip netns delete testdns
+
   # Check we haven't left any NICS lying around.
   endNicCount=$(find /sys/class/net | wc -l)
   if [ "$startNicCount" != "$endNicCount" ]; then