suzanne.soy/nixpkgs
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

nixos/firewall: port test to python

Browse Source
This commit is contained in:
Jan Hrnko 2019-11-09 19:35:48 +01:00 committed by Florian Klink
parent 05163ec981
commit 541e2ca6d3
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
nixos/tests/firewall.nix
View File

@ -1,6 +1,6 @@
# Test the firewall module. # Test the firewall module.
import ./make-test.nix ( { pkgs, ... } : { import ./make-test-python.nix ( { pkgs, ... } : {
name = "firewall"; name = "firewall";
meta = with pkgs.stdenv.lib.maintainers; { meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ eelco ]; maintainers = [ eelco ];
@ -36,30 +36,30 @@ import ./make-test.nix ( { pkgs, ... } : {
testScript = { nodes, ... }: let testScript = { nodes, ... }: let
newSystem = nodes.walled2.config.system.build.toplevel; newSystem = nodes.walled2.config.system.build.toplevel;
in '' in ''
$walled->start; start_all()
$attacker->start;
$walled->waitForUnit("firewall"); walled.wait_for_unit("firewall")
$walled->waitForUnit("httpd"); walled.wait_for_unit("httpd")
$attacker->waitForUnit("network.target"); attacker.wait_for_unit("network.target")
# Local connections should still work. # Local connections should still work.
$walled->succeed("curl -v http://localhost/ >&2"); walled.succeed("curl -v http://localhost/ >&2")
# Connections to the firewalled machine should fail, but ping should succeed. # Connections to the firewalled machine should fail, but ping should succeed.
$attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2"); attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
$attacker->succeed("ping -c 1 walled >&2"); attacker.succeed("ping -c 1 walled >&2")
# Outgoing connections/pings should still work. # Outgoing connections/pings should still work.
$walled->succeed("curl -v http://attacker/ >&2"); walled.succeed("curl -v http://attacker/ >&2")
$walled->succeed("ping -c 1 attacker >&2"); walled.succeed("ping -c 1 attacker >&2")
# If we stop the firewall, then connections should succeed. # If we stop the firewall, then connections should succeed.
$walled->stopJob("firewall"); walled.stop_job("firewall")
$attacker->succeed("curl -v http://walled/ >&2"); attacker.succeed("curl -v http://walled/ >&2")
# Check whether activation of a new configuration reloads the firewall. # Check whether activation of a new configuration reloads the firewall.
$walled->succeed("${newSystem}/bin/switch-to-configuration test 2>&1" . walled.succeed(
" | grep -qF firewall.service"); "${newSystem}/bin/switch-to-configuration test 2>&1 | grep -qF firewall.service"
)
''; '';
}) })