diff options
author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2023-01-14 00:02:26 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-14 00:02:26 +0000 |
commit | 4712ed9439386730e93043de43bfc1d4b6f2f297 (patch) | |
tree | 382dc21b6250da85fcdceaf610afff45c8e8932e /nixos | |
parent | 49722fd14a26ca6a751932949491a87afe592d0d (diff) | |
parent | 4e7b6a7ddbe276281cd3882dd42b701f51b48c6b (diff) |
Merge master into staging-next
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/virtualisation/qemu-vm.nix | 17 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/qemu-vm-restrictnetwork.nix | 36 |
3 files changed, 53 insertions, 1 deletions
diff --git a/nixos/modules/virtualisation/qemu-vm.nix b/nixos/modules/virtualisation/qemu-vm.nix index 1b3c0e23f97db..4520408ca3379 100644 --- a/nixos/modules/virtualisation/qemu-vm.nix +++ b/nixos/modules/virtualisation/qemu-vm.nix @@ -528,6 +528,20 @@ in ''; }; + virtualisation.restrictNetwork = + mkOption { + type = types.bool; + default = false; + example = true; + description = + lib.mdDoc '' + If this option is enabled, the guest will be isolated, i.e. it will + not be able to contact the host and no guest IP packets will be + routed over the host to the outside. This option does not affect + any explicitly set forwarding rules. + ''; + }; + virtualisation.vlans = mkOption { type = types.listOf types.ints.unsigned; @@ -936,10 +950,11 @@ in else "'guestfwd=${proto}:${guest.address}:${toString guest.port}-" + "cmd:${pkgs.netcat}/bin/nc ${host.address} ${toString host.port}'," ); + restrictNetworkOption = lib.optionalString cfg.restrictNetwork "restrict=on,"; in [ "-net nic,netdev=user.0,model=virtio" - "-netdev user,id=user.0,${forwardingOptions}\"$QEMU_NET_OPTS\"" + "-netdev user,id=user.0,${forwardingOptions}${restrictNetworkOption}\"$QEMU_NET_OPTS\"" ]; # FIXME: Consolidate this one day. diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 4c3980bcc1bb9..acc42acf37a6a 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -559,6 +559,7 @@ in { public-inbox = handleTest ./public-inbox.nix {}; pulseaudio = discoverTests (import ./pulseaudio.nix); qboot = handleTestOn ["x86_64-linux" "i686-linux"] ./qboot.nix {}; + qemu-vm-restrictnetwork = handleTest ./qemu-vm-restrictnetwork.nix {}; quorum = handleTest ./quorum.nix {}; quake3 = handleTest ./quake3.nix {}; rabbitmq = handleTest ./rabbitmq.nix {}; diff --git a/nixos/tests/qemu-vm-restrictnetwork.nix b/nixos/tests/qemu-vm-restrictnetwork.nix new file mode 100644 index 0000000000000..49a105ef10767 --- /dev/null +++ b/nixos/tests/qemu-vm-restrictnetwork.nix @@ -0,0 +1,36 @@ +import ./make-test-python.nix ({ + name = "qemu-vm-restrictnetwork"; + + nodes = { + unrestricted = { config, pkgs, ... }: { + virtualisation.restrictNetwork = false; + }; + + restricted = { config, pkgs, ... }: { + virtualisation.restrictNetwork = true; + }; + }; + + testScript = '' + import os + + if os.fork() == 0: + # Start some HTTP server on the qemu host to test guest isolation. + from http.server import HTTPServer, BaseHTTPRequestHandler + HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever() + + else: + start_all() + unrestricted.wait_for_unit("network-online.target") + restricted.wait_for_unit("network-online.target") + + # Guests should be able to reach each other on the same VLAN. + unrestricted.succeed("ping -c1 restricted") + restricted.succeed("ping -c1 unrestricted") + + # Only the unrestricted guest should be able to reach host services. + # 10.0.2.2 is the gateway mapping to the host's loopback interface. + unrestricted.succeed("curl -s http://10.0.2.2:8000") + restricted.fail("curl -s http://10.0.2.2:8000") + ''; +}) |