diff options
Diffstat (limited to 'nixos/tests')
| -rw-r--r-- | nixos/tests/all-tests.nix | 6 | ||||
| -rw-r--r-- | nixos/tests/firewall.nix | 13 | ||||
| -rw-r--r-- | nixos/tests/nat.nix | 12 |
3 files changed, 21 insertions, 10 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 30bcfcf6111a3..446de6898ce00 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -211,7 +211,8 @@ in { firefox-esr = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr; }; # used in `tested` job firefox-esr-102 = handleTest ./firefox.nix { firefoxPackage = pkgs.firefox-esr-102; }; firejail = handleTest ./firejail.nix {}; - firewall = handleTest ./firewall.nix {}; + firewall = handleTest ./firewall.nix { nftables = false; }; + firewall-nftables = handleTest ./firewall.nix { nftables = true; }; fish = handleTest ./fish.nix {}; flannel = handleTestOn ["x86_64-linux"] ./flannel.nix {}; fluentd = handleTest ./fluentd.nix {}; @@ -412,6 +413,9 @@ in { nat.firewall = handleTest ./nat.nix { withFirewall = true; }; nat.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; }; nat.standalone = handleTest ./nat.nix { withFirewall = false; }; + nat.nftables.firewall = handleTest ./nat.nix { withFirewall = true; nftables = true; }; + nat.nftables.firewall-conntrack = handleTest ./nat.nix { withFirewall = true; withConntrackHelpers = true; nftables = true; }; + nat.nftables.standalone = handleTest ./nat.nix { withFirewall = false; nftables = true; }; nats = handleTest ./nats.nix {}; navidrome = handleTest ./navidrome.nix {}; nbd = handleTest ./nbd.nix {}; diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix index 5c434c1cb6d68..dd7551f143a5e 100644 --- a/nixos/tests/firewall.nix +++ b/nixos/tests/firewall.nix @@ -1,7 +1,7 @@ # Test the firewall module. -import ./make-test-python.nix ( { pkgs, ... } : { - name = "firewall"; +import ./make-test-python.nix ( { pkgs, nftables, ... } : { + name = "firewall" + pkgs.lib.optionalString nftables "-nftables"; meta = with pkgs.lib.maintainers; { maintainers = [ eelco ]; }; @@ -11,6 +11,7 @@ import ./make-test-python.nix ( { pkgs, ... } : { { ... }: { networking.firewall.enable = true; networking.firewall.logRefusedPackets = true; + networking.nftables.enable = nftables; services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; }; @@ -23,6 +24,7 @@ import ./make-test-python.nix ( { pkgs, ... } : { { ... }: { networking.firewall.enable = true; networking.firewall.rejectPackets = true; + networking.nftables.enable = nftables; }; attacker = @@ -35,10 +37,11 @@ import ./make-test-python.nix ( { pkgs, ... } : { testScript = { nodes, ... }: let newSystem = nodes.walled2.config.system.build.toplevel; + unit = if nftables then "nftables" else "firewall"; in '' start_all() - walled.wait_for_unit("firewall") + walled.wait_for_unit("${unit}") walled.wait_for_unit("httpd") attacker.wait_for_unit("network.target") @@ -54,12 +57,12 @@ import ./make-test-python.nix ( { pkgs, ... } : { walled.succeed("ping -c 1 attacker >&2") # If we stop the firewall, then connections should succeed. - walled.stop_job("firewall") + walled.stop_job("${unit}") attacker.succeed("curl -v http://walled/ >&2") # Check whether activation of a new configuration reloads the firewall. walled.succeed( - "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF firewall.service" + "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF ${unit}.service" ) ''; }) diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 545eb46f2bf59..912a04deae8b3 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -3,14 +3,16 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. -import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }: +import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, nftables ? false, ... }: let - unit = if withFirewall then "firewall" else "nat"; + unit = if nftables then "nftables" else (if withFirewall then "firewall" else "nat"); routerBase = lib.mkMerge [ { virtualisation.vlans = [ 2 1 ]; networking.firewall.enable = withFirewall; + networking.firewall.filterForward = nftables; + networking.nftables.enable = nftables; networking.nat.internalIPs = [ "192.168.1.0/24" ]; networking.nat.externalInterface = "eth1"; } @@ -21,7 +23,8 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? ]; in { - name = "nat" + (if withFirewall then "WithFirewall" else "Standalone") + name = "nat" + (lib.optionalString nftables "Nftables") + + (if withFirewall then "WithFirewall" else "Standalone") + (lib.optionalString withConntrackHelpers "withConntrackHelpers"); meta = with pkgs.lib.maintainers; { maintainers = [ eelco rob ]; @@ -34,6 +37,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? { virtualisation.vlans = [ 1 ]; networking.defaultGateway = (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address; + networking.nftables.enable = nftables; } (lib.optionalAttrs withConntrackHelpers { networking.firewall.connectionTrackingModules = [ "ftp" ]; @@ -111,7 +115,7 @@ import ./make-test-python.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? # FIXME: this should not be necessary, but nat.service is not started because # network.target is not triggered # (https://github.com/NixOS/nixpkgs/issues/16230#issuecomment-226408359) - ${lib.optionalString (!withFirewall) '' + ${lib.optionalString (!withFirewall && !nftables) '' router.succeed("systemctl start nat.service") ''} client.succeed("curl --fail http://server/ >&2") |