3fd324f823
Eelco has made several early contributions to NixOS including writing the samba module among other things, but is more or less inactive these days. By my brief inspection, he has not committed to the nixos/ tree since releasing Nix 2.13 in early 2023 and merging a PR to networking tests slightly before that. A lot of these tests/modules are actually unmaintained in practice, so we should update the code to reflect the practical reality so someone can consider picking them up.
69 lines
2.2 KiB
Nix
69 lines
2.2 KiB
Nix
# Test the firewall module.
|
|
|
|
import ./make-test-python.nix ( { pkgs, nftables, ... } : {
|
|
name = "firewall" + pkgs.lib.optionalString nftables "-nftables";
|
|
meta = with pkgs.lib.maintainers; {
|
|
maintainers = [ ];
|
|
};
|
|
|
|
nodes =
|
|
{ walled =
|
|
{ ... }:
|
|
{ networking.firewall.enable = true;
|
|
networking.firewall.logRefusedPackets = true;
|
|
networking.nftables.enable = nftables;
|
|
services.httpd.enable = true;
|
|
services.httpd.adminAddr = "foo@example.org";
|
|
};
|
|
|
|
# Dummy configuration to check whether firewall.service will be honored
|
|
# during system activation. This only needs to be different to the
|
|
# original walled configuration so that there is a change in the service
|
|
# file.
|
|
walled2 =
|
|
{ ... }:
|
|
{ networking.firewall.enable = true;
|
|
networking.firewall.rejectPackets = true;
|
|
networking.nftables.enable = nftables;
|
|
};
|
|
|
|
attacker =
|
|
{ ... }:
|
|
{ services.httpd.enable = true;
|
|
services.httpd.adminAddr = "foo@example.org";
|
|
networking.firewall.enable = false;
|
|
};
|
|
};
|
|
|
|
testScript = { nodes, ... }: let
|
|
newSystem = nodes.walled2.config.system.build.toplevel;
|
|
unit = if nftables then "nftables" else "firewall";
|
|
in ''
|
|
start_all()
|
|
|
|
walled.wait_for_unit("${unit}")
|
|
walled.wait_for_unit("httpd")
|
|
attacker.wait_for_unit("network.target")
|
|
|
|
# Local connections should still work.
|
|
walled.succeed("curl -v http://localhost/ >&2")
|
|
|
|
# Connections to the firewalled machine should fail, but ping should succeed.
|
|
attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
|
|
attacker.succeed("ping -c 1 walled >&2")
|
|
|
|
# Outgoing connections/pings should still work.
|
|
walled.succeed("curl -v http://attacker/ >&2")
|
|
walled.succeed("ping -c 1 attacker >&2")
|
|
|
|
# If we stop the firewall, then connections should succeed.
|
|
walled.stop_job("${unit}")
|
|
attacker.succeed("curl -v http://walled/ >&2")
|
|
|
|
# Check whether activation of a new configuration reloads the firewall.
|
|
walled.succeed(
|
|
"${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF ${unit}.service"
|
|
)
|
|
'';
|
|
})
|