diff options
author | Joachim F <joachifm@users.noreply.github.com> | 2016-09-03 17:27:38 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-09-03 17:27:38 +0200 |
commit | 78b4b632aed4f9830b4c93aaa03104dcde41d2e3 (patch) | |
tree | c71dd10a00358f3ad4225601148940e142d8c3ce | |
parent | 4206f460241de2f21636676e5062279ce713e200 (diff) | |
parent | 2ed6529444c6048f5a6d70399046842e0112d75b (diff) | |
download | nixlib-78b4b632aed4f9830b4c93aaa03104dcde41d2e3.tar nixlib-78b4b632aed4f9830b4c93aaa03104dcde41d2e3.tar.gz nixlib-78b4b632aed4f9830b4c93aaa03104dcde41d2e3.tar.bz2 nixlib-78b4b632aed4f9830b4c93aaa03104dcde41d2e3.tar.lz nixlib-78b4b632aed4f9830b4c93aaa03104dcde41d2e3.tar.xz nixlib-78b4b632aed4f9830b4c93aaa03104dcde41d2e3.tar.zst nixlib-78b4b632aed4f9830b4c93aaa03104dcde41d2e3.zip |
Merge pull request #18085 from Mic92/ferm
ferm: add integration test
-rw-r--r-- | nixos/release.nix | 1 | ||||
-rw-r--r-- | nixos/tests/ferm.nix | 71 |
2 files changed, 72 insertions, 0 deletions
diff --git a/nixos/release.nix b/nixos/release.nix index 4dd1311e2d0c..a5b4ab5f04cf 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -234,6 +234,7 @@ in rec { tests.etcd = hydraJob (import tests/etcd.nix { system = "x86_64-linux"; }); tests.ec2-nixops = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-nixops; tests.ec2-config = hydraJob (import tests/ec2.nix { system = "x86_64-linux"; }).boot-ec2-config; + tests.ferm = callTest tests/ferm.nix {}; tests.firefox = callTest tests/firefox.nix {}; tests.firewall = callTest tests/firewall.nix {}; tests.fleet = hydraJob (import tests/fleet.nix { system = "x86_64-linux"; }); diff --git a/nixos/tests/ferm.nix b/nixos/tests/ferm.nix new file mode 100644 index 000000000000..c0271269ca05 --- /dev/null +++ b/nixos/tests/ferm.nix @@ -0,0 +1,71 @@ + +import ./make-test.nix ({ pkgs, ...} : { + name = "ferm"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ mic92 ]; + }; + + nodes = + { client = + { config, pkgs, ... }: + with pkgs.lib; + { + networking = { + interfaces.eth1.ip6 = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ]; + interfaces.eth1.ip4 = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ]; + }; + }; + server = + { config, pkgs, ... }: + with pkgs.lib; + { + networking = { + interfaces.eth1.ip6 = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ]; + interfaces.eth1.ip4 = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ]; + }; + + services = { + ferm.enable = true; + ferm.config = '' + domain (ip ip6) table filter chain INPUT { + interface lo ACCEPT; + proto tcp dport 8080 REJECT reject-with tcp-reset; + } + ''; + nginx.enable = true; + nginx.httpConfig = '' + server { + listen 80; + listen [::]:80; + listen 8080; + listen [::]:8080; + + location /status { stub_status on; } + } + ''; + }; + }; + }; + + testScript = + '' + startAll; + + $client->waitForUnit("network.target"); + $server->waitForUnit("ferm.service"); + $server->waitForUnit("nginx.service"); + + subtest "port 80 is allowed", sub { + $client->succeed("curl --fail -g http://192.168.1.1:80/status"); + $client->succeed("curl --fail -g http://[fd00::1]:80/status"); + }; + + subtest "port 8080 is not allowed", sub { + $server->succeed("curl --fail -g http://192.168.1.1:8080/status"); + $server->succeed("curl --fail -g http://[fd00::1]:8080/status"); + + $client->fail("curl --fail -g http://192.168.1.1:8080/status"); + $client->fail("curl --fail -g http://[fd00::1]:8080/status"); + }; + ''; +}) |