1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-26 15:41:40 +00:00
nixpkgs/nixos/tests/ferm.nix
Martin Weinelt 1fb3818440 nixos/tests/ferm: wait for DAD timeout before testing
The test has recently been failing due to the IPv6 address
on the server still being in the tentative state, when the
client sends its first request. The server will not start
using the IPv6 address until DAD has completed.

Scripted networking seems not to wait for DAD completion
before completing network-online.target, so let's switch
to networkd instead, which does.
2019-09-29 15:25:11 +02:00

76 lines
2.3 KiB
Nix

import ./make-test.nix ({ pkgs, ...} : {
name = "ferm";
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ mic92 ];
};
nodes =
{ client =
{ pkgs, ... }:
with pkgs.lib;
{
networking = {
dhcpcd.enable = false;
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
};
};
server =
{ pkgs, ... }:
with pkgs.lib;
{
networking = {
dhcpcd.enable = false;
useNetworkd = true;
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
};
services = {
ferm.enable = true;
ferm.config = ''
domain (ip ip6) table filter chain INPUT {
interface lo ACCEPT;
proto tcp dport 8080 REJECT reject-with tcp-reset;
}
'';
nginx.enable = true;
nginx.httpConfig = ''
server {
listen 80;
listen [::]:80;
listen 8080;
listen [::]:8080;
location /status { stub_status on; }
}
'';
};
};
};
testScript =
''
startAll;
$client->waitForUnit("network-online.target");
$server->waitForUnit("ferm.service");
$server->waitForUnit("nginx.service");
$server->waitUntilSucceeds("ss -ntl | grep -q 80");
subtest "port 80 is allowed", sub {
$client->succeed("curl --fail -g http://192.168.1.1:80/status");
$client->succeed("curl --fail -g http://[fd00::1]:80/status");
};
subtest "port 8080 is not allowed", sub {
$server->succeed("curl --fail -g http://192.168.1.1:8080/status");
$server->succeed("curl --fail -g http://[fd00::1]:8080/status");
$client->fail("curl --fail -g http://192.168.1.1:8080/status");
$client->fail("curl --fail -g http://[fd00::1]:8080/status");
};
'';
})