Disabling external network access

Questions / Help
,
1

I have a fairly large codebase with many files and many tests.
For whatever reasons that happened over the years, some tests execute code that does call an external APIs. It’s not easy to spot these tests (they pop up only when something breaks), these calls often come from some deep code using different http libraries.

I wonder if there is a way to somehow setup beam to filter TCP traffic - disable all network access except for e.g. localhost:5432 (postgres) during tests. It could be useful especially on the CI (Locally one can disconnect internet and then try to find these bad tests)

tl;dr - Is there any way to block (or log) all external TCP traffic on the beam level?

2

You can configure the inet dns resolver to never resolve anything. That way only ip addresses will be possible to use.

For example:

echo "{lookup,[]}." > ./erl_inetrc
ERL_INETRC=./erl_inetrc iex
Erlang/OTP 27 [RELEASE CANDIDATE 2] [erts-14.2.3] [source-f7fa414e3e] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] [jit:ns]

Interactive Elixir (1.17.0-dev) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> :gen_tcp.connect(~c"localhost",80,[])
{:error, :nxdomain}

You can read more about how to configure inetrc here: Erlang -- Inet Configuration

2 Likes
3

You can also try Overview — extrace v0.5.0 with some of the lower-level functions in :inet but I am not sure that would work at all.

1 Like
4

Thanks!

I forgot about the amazing dbg - I’ve put this into test/test_helper.ex

require Logger

:dbg.start()

:dbg.tracer(
  :process,
  {fn {:trace, _pid, :call, {:gen_tcp, :connect, [host, port | _]}}, n ->
     case {host, port} do
       {~c"localhost", 5432} -> :ok
       {~c"localhost", 6379} -> :ok
       _ -> Logger.error("\n\n****\n\nConnection to #{host}:#{port} not allowed\n\n****\n")
     end

     n + 1
   end, 0}
)

:dbg.tp(:gen_tcp, :connect, [])
:dbg.p(:all, :c)

and it will log unwanted connections during tests.

4 Likes