Skip to content

test(e2e): add bypass detection test for sandbox REJECT rules#1368

Merged
johntmyers merged 1 commit into
NVIDIA:mainfrom
russellb:test/bypass-detection-e2e
May 14, 2026
Merged

test(e2e): add bypass detection test for sandbox REJECT rules#1368
johntmyers merged 1 commit into
NVIDIA:mainfrom
russellb:test/bypass-detection-e2e

Conversation

@russellb
Copy link
Copy Markdown
Contributor

@russellb russellb commented May 13, 2026

Summary

Add an e2e test that validates sandbox bypass detection provides fast-fail UX: direct TCP connections that skip the HTTP CONNECT proxy are rejected with ECONNREFUSED (immediate) rather than hanging until a network timeout.

Related Issue

Related to #1335

Changes

  • Add e2e/rust/tests/bypass_detection.rs with a single test bypass_attempt_is_rejected_fast
  • Test creates a sandbox, runs a Python script that attempts a raw socket.connect() to an RFC 5737 TEST-NET-2 address, and asserts the connection is refused in under 3 seconds
  • Implementation-agnostic — validates observable kernel behavior regardless of whether rules are installed via iptables or nftables

Testing

  • mise run pre-commit passes
  • Unit tests added/updated
  • E2E tests added/updated
  • Tested against Podman gateway — passes in ~1.5s
  • Tested against VM gateway — passes in ~18s
  • Verified test catches regressions: intentionally broke find_iptables() to return None, confirmed test fails with timeout after 10s

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@russellb
test(e2e): add bypass detection test for sandbox REJECT rules
113ecb8 
Validates that direct TCP connections bypassing the HTTP CONNECT proxy
are rejected immediately (ECONNREFUSED) rather than hanging until a
network timeout. This is implementation-agnostic — it tests observable
kernel behavior regardless of whether rules are installed via iptables
or nftables.
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 13, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@russellb russellb mentioned this pull request May 13, 2026
Open
@johntmyers johntmyers added test:e2e Requires end-to-end coverage labels May 13, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

Label test:e2e applied, but pull-request/1368 is at {"messa while the PR head is 113ecb8. A maintainer needs to comment /ok to test 113ecb8c0098e6ac611faef3c4fcf1ff628fc1dc to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

1 similar comment
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

Label test:e2e applied, but pull-request/1368 is at {"messa while the PR head is 113ecb8. A maintainer needs to comment /ok to test 113ecb8c0098e6ac611faef3c4fcf1ff628fc1dc to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

@johntmyers
Copy link
Copy Markdown
Collaborator

johntmyers commented May 13, 2026

/ok to test 113ecb8

@johntmyers johntmyers self-assigned this May 13, 2026
@johntmyers johntmyers merged commit bbfcac8 into NVIDIA:main May 14, 2026
43 of 46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@johntmyers johntmyers johntmyers approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

@johntmyers johntmyers

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@russellb @johntmyers