diff options
Diffstat (limited to 'nixpkgs/nixos/tests/firewall.nix')
-rw-r--r-- | nixpkgs/nixos/tests/firewall.nix | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/nixpkgs/nixos/tests/firewall.nix b/nixpkgs/nixos/tests/firewall.nix new file mode 100644 index 000000000000..dd7551f143a5 --- /dev/null +++ b/nixpkgs/nixos/tests/firewall.nix @@ -0,0 +1,68 @@ +# Test the firewall module. + +import ./make-test-python.nix ( { pkgs, nftables, ... } : { + name = "firewall" + pkgs.lib.optionalString nftables "-nftables"; + meta = with pkgs.lib.maintainers; { + maintainers = [ eelco ]; + }; + + nodes = + { walled = + { ... }: + { networking.firewall.enable = true; + networking.firewall.logRefusedPackets = true; + networking.nftables.enable = nftables; + services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + }; + + # Dummy configuration to check whether firewall.service will be honored + # during system activation. This only needs to be different to the + # original walled configuration so that there is a change in the service + # file. + walled2 = + { ... }: + { networking.firewall.enable = true; + networking.firewall.rejectPackets = true; + networking.nftables.enable = nftables; + }; + + attacker = + { ... }: + { services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + networking.firewall.enable = false; + }; + }; + + testScript = { nodes, ... }: let + newSystem = nodes.walled2.config.system.build.toplevel; + unit = if nftables then "nftables" else "firewall"; + in '' + start_all() + + walled.wait_for_unit("${unit}") + walled.wait_for_unit("httpd") + attacker.wait_for_unit("network.target") + + # Local connections should still work. + walled.succeed("curl -v http://localhost/ >&2") + + # Connections to the firewalled machine should fail, but ping should succeed. + attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2") + attacker.succeed("ping -c 1 walled >&2") + + # Outgoing connections/pings should still work. + walled.succeed("curl -v http://attacker/ >&2") + walled.succeed("ping -c 1 attacker >&2") + + # If we stop the firewall, then connections should succeed. + walled.stop_job("${unit}") + attacker.succeed("curl -v http://walled/ >&2") + + # Check whether activation of a new configuration reloads the firewall. + walled.succeed( + "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF ${unit}.service" + ) + ''; +}) |