| blob | 139bc311774023d5273a58957b0937c2f8d5276e |
1 # Test the firewall module.
3 import ./make-test-python.nix ( { pkgs, nftables, ... } : {
4 name = "firewall" + pkgs.lib.optionalString nftables "-nftables";
5 meta = with pkgs.lib.maintainers; {
6 maintainers = [ ];
7 };
9 nodes =
10 { walled =
11 { ... }:
12 { networking.firewall.enable = true;
13 networking.firewall.logRefusedPackets = true;
14 networking.nftables.enable = nftables;
15 services.httpd.enable = true;
16 services.httpd.adminAddr = "foo@example.org";
18 specialisation.different-config.configuration = {
19 networking.firewall.rejectPackets = true;
20 };
21 };
23 attacker =
24 { ... }:
25 { services.httpd.enable = true;
26 services.httpd.adminAddr = "foo@example.org";
27 networking.firewall.enable = false;
28 };
29 };
31 testScript = { nodes, ... }: let
32 unit = if nftables then "nftables" else "firewall";
33 in ''
34 start_all()
36 walled.wait_for_unit("${unit}")
37 walled.wait_for_unit("httpd")
38 attacker.wait_for_unit("network.target")
40 # Local connections should still work.
41 walled.succeed("curl -v http://localhost/ >&2")
43 # Connections to the firewalled machine should fail, but ping should succeed.
44 attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
45 attacker.succeed("ping -c 1 walled >&2")
47 # Outgoing connections/pings should still work.
48 walled.succeed("curl -v http://attacker/ >&2")
49 walled.succeed("ping -c 1 attacker >&2")
51 # If we stop the firewall, then connections should succeed.
52 walled.stop_job("${unit}")
53 attacker.succeed("curl -v http://walled/ >&2")
55 # Check whether activation of a new configuration reloads the firewall.
56 walled.succeed(
57 "/run/booted-system/specialisation/different-config/bin/switch-to-configuration test 2>&1 | grep -qF ${unit}.service"
58 )
59 '';
60 })