Context
PR #40 fixed dns_resolvers() to include well-known public DNS (8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1) so AllowList doesn't block guest DNS queries. We added unit tests but CI only exercises --net and --port at runtime — there's no end-to-end coverage for --net-allow or --net-block.
Proposed tests
All reuse the existing networking-py example (no new kernel/CPIO build):
--net-allow example.com + urllib_get.py — verifies allowlist permits the allowed host AND that DNS to well-known resolvers is exempted--net-block example.com + new net_block_test.py — attempts urlopen("http://example.com/"), expects it to raise, prints SUCCESS: connection blocked as expected--net-allow 198.51.100.1 (unreachable) + urllib_get.py — verifies allowlist blocks traffic to hosts NOT on the list (negative test)
Add entries to both Linux runtime-test and runtime-test-windows matrices in test-examples.yml.
Future work
Consider a HLDNS00 TLV for host→guest DNS injection so the guest automatically uses the host's resolvers instead of hardcoding 8.8.8.8/8.8.4.4 in the CPIO's /etc/resolv.conf.
Context
PR #40 fixed
dns_resolvers()to include well-known public DNS (8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1) soAllowListdoesn't block guest DNS queries. We added unit tests but CI only exercises--netand--portat runtime — there's no end-to-end coverage for--net-allowor--net-block.Proposed tests
All reuse the existing
networking-pyexample (no new kernel/CPIO build):--net-allow example.com+urllib_get.py— verifies allowlist permits the allowed host AND that DNS to well-known resolvers is exempted--net-block example.com+ newnet_block_test.py— attemptsurlopen("http://example.com/"), expects it to raise, printsSUCCESS: connection blocked as expected--net-allow 198.51.100.1(unreachable) +urllib_get.py— verifies allowlist blocks traffic to hosts NOT on the list (negative test)Add entries to both Linux
runtime-testandruntime-test-windowsmatrices intest-examples.yml.Future work
Consider a
HLDNS00TLV for host→guest DNS injection so the guest automatically uses the host's resolvers instead of hardcoding 8.8.8.8/8.8.4.4 in the CPIO's/etc/resolv.conf.