diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 3a458f5e860b..debdccf7e549 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -61,7 +61,8 @@ in rec { (all nixos.tests.kde4) (all nixos.tests.login) (all nixos.tests.misc) - (all nixos.tests.nat) + (all nixos.tests.nat.firewall) + (all nixos.tests.nat.standalone) (all nixos.tests.nfs3) (all nixos.tests.openssh) (all nixos.tests.printing) diff --git a/nixos/release.nix b/nixos/release.nix index b3039afb18c1..14e8549de5e4 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -244,7 +244,8 @@ in rec { tests.munin = callTest tests/munin.nix {}; tests.mysql = callTest tests/mysql.nix {}; tests.mysqlReplication = callTest tests/mysql-replication.nix {}; - tests.nat = callTest tests/nat.nix {}; + tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; }; + tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; }; tests.nfs3 = callTest tests/nfs.nix { version = 3; }; tests.nsd = callTest tests/nsd.nix {}; tests.openssh = callTest tests/openssh.nix {}; diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 36d34c01377d..c4d2614f7852 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -3,78 +3,81 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. +import ./make-test.nix ({ withFirewall, ... }: + let + unit = if withFirewall then "firewall" else "nat"; + in + { + name = "nat${if withFirewall then "WithFirewall" else "Standalone"}"; -import ./make-test.nix { - name = "nat"; + nodes = + { client = + { config, pkgs, nodes, ... }: + { virtualisation.vlans = [ 1 ]; + networking.firewall.allowPing = true; + networking.defaultGateway = + (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address; + }; - nodes = - { client = - { config, pkgs, nodes, ... }: - { virtualisation.vlans = [ 1 ]; - networking.firewall.allowPing = true; - networking.defaultGateway = - (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address; - }; + router = + { config, pkgs, ... }: + { virtualisation.vlans = [ 2 1 ]; + networking.firewall.enable = withFirewall; + networking.firewall.allowPing = true; + networking.nat.enable = true; + networking.nat.internalIPs = [ "192.168.1.0/24" ]; + networking.nat.externalInterface = "eth1"; + }; - router = - { config, pkgs, ... }: - { virtualisation.vlans = [ 2 1 ]; - networking.firewall.allowPing = true; - networking.nat.enable = true; - networking.nat.internalIPs = [ "192.168.1.0/24" ]; - networking.nat.externalInterface = "eth1"; - }; + server = + { config, pkgs, ... }: + { virtualisation.vlans = [ 2 ]; + networking.firewall.enable = false; + services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + services.vsftpd.enable = true; + services.vsftpd.anonymousUser = true; + }; + }; - server = - { config, pkgs, ... }: - { virtualisation.vlans = [ 2 ]; - networking.firewall.enable = false; - services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - services.vsftpd.enable = true; - services.vsftpd.anonymousUser = true; - }; - }; + testScript = + { nodes, ... }: + '' + startAll; - testScript = - { nodes, ... }: - '' - startAll; + # The router should have access to the server. + $server->waitForUnit("network.target"); + $server->waitForUnit("httpd"); + $router->waitForUnit("network.target"); + $router->succeed("curl --fail http://server/ >&2"); - # The router should have access to the server. - $server->waitForUnit("network.target"); - $server->waitForUnit("httpd"); - $router->waitForUnit("network.target"); - $router->succeed("curl --fail http://server/ >&2"); + # The client should be also able to connect via the NAT router. + $router->waitForUnit("${unit}"); + $client->waitForUnit("network.target"); + $client->succeed("curl --fail http://server/ >&2"); + $client->succeed("ping -c 1 server >&2"); - # The client should be also able to connect via the NAT router. - $router->waitForUnit("firewall"); # Nat leverages the firewall service - $client->waitForUnit("network.target"); - $client->succeed("curl --fail http://server/ >&2"); - $client->succeed("ping -c 1 server >&2"); + # Test whether passive FTP works. + $server->waitForUnit("vsftpd"); + $server->succeed("echo Hello World > /home/ftp/foo.txt"); + $client->succeed("curl -v ftp://server/foo.txt >&2"); - # Test whether passive FTP works. - $server->waitForUnit("vsftpd"); - $server->succeed("echo Hello World > /home/ftp/foo.txt"); - $client->succeed("curl -v ftp://server/foo.txt >&2"); + # Test whether active FTP works. + $client->succeed("curl -v -P - ftp://server/foo.txt >&2"); - # Test whether active FTP works. - $client->succeed("curl -v -P - ftp://server/foo.txt >&2"); + # Test ICMP. + $client->succeed("ping -c 1 router >&2"); + $router->succeed("ping -c 1 client >&2"); - # Test ICMP. - $client->succeed("ping -c 1 router >&2"); - $router->succeed("ping -c 1 client >&2"); + # If we turn off NAT, the client shouldn't be able to reach the server. + $router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre"); + $router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post"); + $client->fail("curl --fail --connect-timeout 5 http://server/ >&2"); + $client->fail("ping -c 1 server >&2"); - # If we turn off NAT, the client shouldn't be able to reach the server. - $router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre"); - $router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post"); - $client->fail("curl --fail --connect-timeout 5 http://server/ >&2"); - $client->fail("ping -c 1 server >&2"); - - # And make sure that restarting the NAT job works. - $router->succeed("systemctl reload firewall"); # Nat leverages the firewall service - $client->succeed("curl --fail http://server/ >&2"); - $client->succeed("ping -c 1 server >&2"); - ''; - -} + # And make sure that reloading the NAT job works. + $router->succeed("systemctl restart ${unit}"); + $client->succeed("curl --fail http://server/ >&2"); + $client->succeed("ping -c 1 server >&2"); + ''; + })