3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/tests/ferm.nix
Linus Heckemann a3a441cd87 nixos/tests/{ferm,networking}: fix eval with networkd
The networking.virtual test does not work with networkd yet, for
multiple reasons:

- network-online.target is not reached, because tun0 and tap0 are
  considered as required for online but _not_ brought up or assigned
  the configured addresses
- the commands later in the test rely on some units from the scripted
  network setup

cc @fpletz networkd exper
cc @globin we looked at this together
2019-10-08 17:14:26 +02:00

77 lines
2.3 KiB
Nix

import ./make-test.nix ({ pkgs, ...} : {
name = "ferm";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ mic92 ];
};
nodes =
{ client =
{ pkgs, ... }:
with pkgs.lib;
{
networking = {
dhcpcd.enable = false;
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
};
};
server =
{ pkgs, ... }:
with pkgs.lib;
{
networking = {
dhcpcd.enable = false;
useNetworkd = true;
useDHCP = false;
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
};
services = {
ferm.enable = true;
ferm.config = ''
domain (ip ip6) table filter chain INPUT {
interface lo ACCEPT;
proto tcp dport 8080 REJECT reject-with tcp-reset;
}
'';
nginx.enable = true;
nginx.httpConfig = ''
server {
listen 80;
listen [::]:80;
listen 8080;
listen [::]:8080;
location /status { stub_status on; }
}
'';
};
};
};
testScript =
''
startAll;
$client->waitForUnit("network-online.target");
$server->waitForUnit("ferm.service");
$server->waitForUnit("nginx.service");
$server->waitUntilSucceeds("ss -ntl | grep -q 80");
subtest "port 80 is allowed", sub {
$client->succeed("curl --fail -g http://192.168.1.1:80/status");
$client->succeed("curl --fail -g http://[fd00::1]:80/status");
};
subtest "port 8080 is not allowed", sub {
$server->succeed("curl --fail -g http://192.168.1.1:8080/status");
$server->succeed("curl --fail -g http://[fd00::1]:8080/status");
$client->fail("curl --fail -g http://192.168.1.1:8080/status");
$client->fail("curl --fail -g http://[fd00::1]:8080/status");
};
'';
})