diff options
author | Rvfg <i@rvf6.com> | 2022-12-23 00:23:23 +0800 |
---|---|---|
committer | Rvfg <i@rvf6.com> | 2022-12-23 00:49:24 +0800 |
commit | a43c7b2a70da8e7ed82749daf4c13543876b44cf (patch) | |
tree | 240be2cb7082324242a24079b6467d00837abf8b /nixos/tests/firewall.nix | |
parent | 2379de680d8c7d652cfc9a94b7e42691846c70a4 (diff) |
nixos/{firewall, nat}: add a nftables based implementation
Diffstat (limited to 'nixos/tests/firewall.nix')
-rw-r--r-- | nixos/tests/firewall.nix | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix index 5c434c1cb6d68..dd7551f143a5e 100644 --- a/nixos/tests/firewall.nix +++ b/nixos/tests/firewall.nix @@ -1,7 +1,7 @@ # Test the firewall module. -import ./make-test-python.nix ( { pkgs, ... } : { - name = "firewall"; +import ./make-test-python.nix ( { pkgs, nftables, ... } : { + name = "firewall" + pkgs.lib.optionalString nftables "-nftables"; meta = with pkgs.lib.maintainers; { maintainers = [ eelco ]; }; @@ -11,6 +11,7 @@ import ./make-test-python.nix ( { pkgs, ... } : { { ... }: { networking.firewall.enable = true; networking.firewall.logRefusedPackets = true; + networking.nftables.enable = nftables; services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; }; @@ -23,6 +24,7 @@ import ./make-test-python.nix ( { pkgs, ... } : { { ... }: { networking.firewall.enable = true; networking.firewall.rejectPackets = true; + networking.nftables.enable = nftables; }; attacker = @@ -35,10 +37,11 @@ import ./make-test-python.nix ( { pkgs, ... } : { testScript = { nodes, ... }: let newSystem = nodes.walled2.config.system.build.toplevel; + unit = if nftables then "nftables" else "firewall"; in '' start_all() - walled.wait_for_unit("firewall") + walled.wait_for_unit("${unit}") walled.wait_for_unit("httpd") attacker.wait_for_unit("network.target") @@ -54,12 +57,12 @@ import ./make-test-python.nix ( { pkgs, ... } : { walled.succeed("ping -c 1 attacker >&2") # If we stop the firewall, then connections should succeed. - walled.stop_job("firewall") + walled.stop_job("${unit}") attacker.succeed("curl -v http://walled/ >&2") # Check whether activation of a new configuration reloads the firewall. walled.succeed( - "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF firewall.service" + "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF ${unit}.service" ) ''; }) |