Skip to content

ci: enable Docker NAT for six-peer regression test #2206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sanity merged 1 commit into from
Dec 2, 2025
Merged

ci: enable Docker NAT for six-peer regression test #2206

sanity merged 1 commit into from
Dec 2, 2025

Conversation

@sanity
Copy link
Collaborator

@sanity sanity commented Dec 2, 2025

Problem

The six-peer regression test was running without Docker NAT simulation, meaning all peers ran as local processes on localhost. This doesn't match production deployment topology where:

  • Gateways are on the public internet (no NAT)
  • Peers are behind residential NAT routers

This limited test coverage missed bugs like #2202 where NAT peers failed to connect to gateways.

Investigation

I verified empirically that the Docker NAT simulation correctly preserves source IPs:

  • Set up Docker networks with a gateway, NAT router, and peer
  • Confirmed that when the gateway sends responses, the peer sees the gateway's actual IP as the source
  • Standard NAT behavior (MASQUERADE) only rewrites source IP on outbound packets, not on return traffic

This means Docker NAT tests DO exercise the code path where is_known_gateway would be true for gateway responses.

Solution

Enable FREENET_TEST_DOCKER_NAT=1 for the six-peer regression test in CI. This:

  • Runs each peer behind a simulated NAT router in Docker
  • Runs gateways on the "public" network (no NAT)
  • Provides more realistic test coverage for NAT traversal and gateway connection code paths

Notes

The original bug (#2202) had a timing component where responses arrived before ongoing_connections.insert() completed. While Docker NAT doesn't guarantee timing-based bugs will be caught, it does ensure the correct code path is exercised, improving overall test fidelity.

Fixes #2204

[AI-assisted - Claude]
@sanity sanity force-pushed the fix/direct-gateway-test branch 3 times, most recently from 298a8e3 to acb2596 Compare December 2, 2025 20:48
@sanity @claude
ci: enable Docker NAT for six-peer regression test when available
7f23abf 
Enable Docker NAT simulation in the six-peer regression test to provide more realistic test coverage for NAT traversal and gateway connections. This ensures that peers run behind simulated NAT routers while gateways are on the public network, matching production deployment topology. The test now checks if Docker is available before enabling Docker NAT mode, falling back to local mode if Docker is not accessible on the runner. Fixes #2204 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
@sanity sanity force-pushed the fix/direct-gateway-test branch from acb2596 to 7f23abf Compare December 2, 2025 21:12
@sanity sanity merged commit 6cd9a14 into main Dec 2, 2025
8 checks passed
@sanity sanity deleted the fix/direct-gateway-test branch December 2, 2025 21:33
@sanity sanity mentioned this pull request Dec 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

2 participants

@sanity