blob: be43877445ebf1a52a0ca152d447647ba1de7d4a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
import ./make-test-python.nix ({ pkgs, ...} : {
name = "ferm";
meta = with pkgs.lib.maintainers; {
maintainers = [ mic92 ];
};
nodes =
{ client =
{ pkgs, ... }:
with pkgs.lib;
{
networking = {
dhcpcd.enable = false;
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
};
};
server =
{ pkgs, ... }:
with pkgs.lib;
{
networking = {
dhcpcd.enable = false;
useNetworkd = true;
useDHCP = false;
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
};
services = {
ferm.enable = true;
ferm.config = ''
domain (ip ip6) table filter chain INPUT {
interface lo ACCEPT;
proto tcp dport 8080 REJECT reject-with tcp-reset;
}
'';
nginx.enable = true;
nginx.httpConfig = ''
server {
listen 80;
listen [::]:80;
listen 8080;
listen [::]:8080;
location /status { stub_status on; }
}
'';
};
};
};
testScript =
''
start_all()
client.wait_for_unit("network-online.target")
server.wait_for_unit("network-online.target")
server.wait_for_unit("ferm.service")
server.wait_for_unit("nginx.service")
server.wait_until_succeeds("ss -ntl | grep -q 80")
with subtest("port 80 is allowed"):
client.succeed("curl --fail -g http://192.168.1.1:80/status")
client.succeed("curl --fail -g http://[fd00::1]:80/status")
with subtest("port 8080 is not allowed"):
server.succeed("curl --fail -g http://192.168.1.1:8080/status")
server.succeed("curl --fail -g http://[fd00::1]:8080/status")
client.fail("curl --fail -g http://192.168.1.1:8080/status")
client.fail("curl --fail -g http://[fd00::1]:8080/status")
'';
})
|