cmd/buildlet: find iptables on newer systems, via PATH

iptables may be installed as /usr/sbin/iptables or as /sbin/iptables, depending on the distribution and its age. Prefer to look for it via the PATH environment variable. Also prefer explicitly picking iptables-legacy when available, since on newer systems "iptables" may default to the newer nftables syntax. Also block port 80 while here, and update dashboard test data. Fixes golang/go#51444. Change-Id: I7b0b622502cb88d7c576c1b18a80a9636467d4ea Reviewed-on: https://go-review.googlesource.com/c/build/+/418792 Reviewed-by: Heschi Kreinick <heschi@google.com> Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
2022-07-21 14:43:23 -04:00 · 2022-07-21 14:43:23 -04:00 · dcd7d5a422
--- a/cmd/buildlet/buildlet.go
+++ b/cmd/buildlet/buildlet.go
@ -2010,13 +2010,23 @@ func disableOutboundNetwork() {
 }

 func disableOutboundNetworkLinux() {
-	const iptables = "/sbin/iptables"
+	iptables, err := exec.LookPath("iptables-legacy")
+	if err != nil {
+		// Some older distributions, such as Debian Stretch, don't yet have nftables,
+		// so "iptables" gets us the legacy version whose rules syntax is used below.
+		iptables, err = exec.LookPath("iptables")
+		if err != nil {
+			log.Println("disableOutboundNetworkLinux failed to find iptables:", err)
+			return
+		}
+	}
 	const vcsTestGolangOrgIPOnVM = "35.184.38.56" // vcs-test.golang.org, on previous VM
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "1", "-m", "state", "--state", "NEW", "-d", vcsTestGolangOrgIPOnVM, "-p", "tcp", "-j", "ACCEPT"))
 	const vcsTestGolangOrgIP = "34.110.184.62" // vcs-test.golang.org, on GKE
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "1", "-m", "state", "--state", "NEW", "-d", vcsTestGolangOrgIP, "-p", "tcp", "-j", "ACCEPT"))
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "2", "-m", "state", "--state", "NEW", "-d", "10.0.0.0/8", "-p", "tcp", "-j", "ACCEPT"))
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "3", "-m", "state", "--state", "NEW", "-p", "tcp", "--dport", "443", "-j", "REJECT", "--reject-with", "icmp-host-prohibited"))
+	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "3", "-m", "state", "--state", "NEW", "-p", "tcp", "--dport", "80", "-j", "REJECT", "--reject-with", "icmp-host-prohibited"))
 	runOrLog(exec.Command(iptables, "-I", "OUTPUT", "3", "-m", "state", "--state", "NEW", "-p", "tcp", "--dport", "22", "-j", "REJECT", "--reject-with", "icmp-host-prohibited"))
 }

--- a/dashboard/builders_test.go
+++ b/dashboard/builders_test.go
@ -125,7 +125,7 @@ func TestTrybots(t *testing.T) {
 		},
 		{
 			repo:   "go",
-			branch: "release-branch.go1.17",
+			branch: "release-branch.go1.18",
 			want: []string{
 				"freebsd-amd64-12_3",
 				"js-wasm",
@ -163,7 +163,7 @@ func TestTrybots(t *testing.T) {
 		},
 		{
 			repo:   "go",
-			branch: "release-branch.go1.16",
+			branch: "release-branch.go1.17",
 			want: []string{
 				"freebsd-amd64-12_3",
 				"js-wasm",
@ -173,6 +173,7 @@ func TestTrybots(t *testing.T) {
 				"linux-amd64-race",
 				"linux-arm-aws",
 				"linux-arm64-aws",
+				"openbsd-amd64-70",
 				"windows-386-2008",
 				"windows-386-2012",
 				"windows-amd64-2016",