| blob | 0b617cea7774c947af54a2683e655c3199a725d7 |
1 # This is a simple distributed test involving a topology with two
2 # separate virtual networks - the "inside" and the "outside" - with a
3 # client on the inside network, a server on the outside network, and a
4 # router connected to both that performs Network Address Translation
5 # for the client.
6 import ./make-test-python.nix ({ pkgs, lib, withFirewall, nftables ? false, ... }:
7 let
8 unit = if nftables then "nftables" else (if withFirewall then "firewall" else "nat");
10 routerBase =
11 lib.mkMerge [
12 { virtualisation.vlans = [ 2 1 ];
13 networking.firewall.enable = withFirewall;
14 networking.firewall.filterForward = nftables;
15 networking.nftables.enable = nftables;
16 networking.nat.internalIPs = [ "192.168.1.0/24" ];
17 networking.nat.externalInterface = "eth1";
18 }
19 ];
20 in
21 {
22 name = "nat" + (lib.optionalString nftables "Nftables")
23 + (if withFirewall then "WithFirewall" else "Standalone");
24 meta = with pkgs.lib.maintainers; {
25 maintainers = [ eelco rob ];
26 };
28 nodes =
29 { client =
30 { pkgs, nodes, ... }:
31 lib.mkMerge [
32 { virtualisation.vlans = [ 1 ];
33 networking.defaultGateway =
34 (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address;
35 networking.nftables.enable = nftables;
36 }
37 ];
39 router =
40 { ... }: lib.mkMerge [
41 routerBase
42 { networking.nat.enable = true; }
43 ];
45 routerDummyNoNat =
46 { ... }: lib.mkMerge [
47 routerBase
48 { networking.nat.enable = false; }
49 ];
51 server =
52 { ... }:
53 { virtualisation.vlans = [ 2 ];
54 networking.firewall.enable = false;
55 services.httpd.enable = true;
56 services.httpd.adminAddr = "foo@example.org";
57 services.vsftpd.enable = true;
58 services.vsftpd.anonymousUser = true;
59 };
60 };
62 testScript =
63 { nodes, ... }: let
64 routerDummyNoNatClosure = nodes.routerDummyNoNat.config.system.build.toplevel;
65 routerClosure = nodes.router.config.system.build.toplevel;
66 in ''
67 client.start()
68 router.start()
69 server.start()
71 # The router should have access to the server.
72 server.wait_for_unit("network.target")
73 server.wait_for_unit("httpd")
74 router.wait_for_unit("network.target")
75 router.succeed("curl --fail http://server/ >&2")
77 # The client should be also able to connect via the NAT router.
78 router.wait_for_unit("${unit}")
79 client.wait_for_unit("network.target")
80 client.succeed("curl --fail http://server/ >&2")
81 client.succeed("ping -c 1 server >&2")
83 # Test whether passive FTP works.
84 server.wait_for_unit("vsftpd")
85 server.succeed("echo Hello World > /home/ftp/foo.txt")
86 client.succeed("curl -v ftp://server/foo.txt >&2")
88 # Test whether active FTP works.
89 client.fail("curl -v -P - ftp://server/foo.txt >&2")
91 # Test ICMP.
92 client.succeed("ping -c 1 router >&2")
93 router.succeed("ping -c 1 client >&2")
95 # If we turn off NAT, the client shouldn't be able to reach the server.
96 router.succeed(
97 "${routerDummyNoNatClosure}/bin/switch-to-configuration test 2>&1"
98 )
99 client.fail("curl --fail --connect-timeout 5 http://server/ >&2")
100 client.fail("ping -c 1 server >&2")
102 # And make sure that reloading the NAT job works.
103 router.succeed(
104 "${routerClosure}/bin/switch-to-configuration test 2>&1"
105 )
106 # FIXME: this should not be necessary, but nat.service is not started because
107 # network.target is not triggered
108 # (https://github.com/NixOS/nixpkgs/issues/16230#issuecomment-226408359)
109 ${lib.optionalString (!withFirewall && !nftables) ''
110 router.succeed("systemctl start nat.service")
111 ''}
112 client.succeed("curl --fail http://server/ >&2")
113 client.succeed("ping -c 1 server >&2")
114 '';
115 })