summary refs log tree commit diff
diff options
context:
space:
mode:
authorMorgan Jones <me@numin.it>2022-12-28 23:30:33 -0800
committerMorgan Jones <me@numin.it>2023-02-04 16:24:45 -0800
commit9d649fd78c30944dfe12b80bb55f8b4a9de567ed (patch)
tree7aa8ab6ebb08a4d6ad029b7882d2385e93980729
parentd02d50f5d00f0f2b279ab73084c5ac1061cb2ee1 (diff)
downloadnixpkgs-9d649fd78c30944dfe12b80bb55f8b4a9de567ed.tar
nixpkgs-9d649fd78c30944dfe12b80bb55f8b4a9de567ed.tar.gz
nixpkgs-9d649fd78c30944dfe12b80bb55f8b4a9de567ed.tar.bz2
nixpkgs-9d649fd78c30944dfe12b80bb55f8b4a9de567ed.tar.lz
nixpkgs-9d649fd78c30944dfe12b80bb55f8b4a9de567ed.tar.xz
nixpkgs-9d649fd78c30944dfe12b80bb55f8b4a9de567ed.tar.zst
nixpkgs-9d649fd78c30944dfe12b80bb55f8b4a9de567ed.zip
nixos/nebula: add tests for relays; clean up nebula passthru test
Diffstat
-rw-r--r--nixos/modules/services/networking/nebula.nix1


-rw-r--r--nixos/tests/nebula.nix82


-rw-r--r--pkgs/tools/networking/nebula/default.nix4


3 files changed, 86 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/nebula.nix b/nixos/modules/services/networking/nebula.nix
index c5d395b3406..71f8991b70a 100644
--- a/nixos/modules/services/networking/nebula.nix
+++ b/nixos/modules/services/networking/nebula.nix
@@ -175,6 +175,7 @@ in
           relay = {
             am_relay = netCfg.isRelay;
             relays = netCfg.relays;
+            use_relays = true;
           };
           listen = {
             host = netCfg.listen.host;
diff --git a/nixos/tests/nebula.nix b/nixos/tests/nebula.nix
index 1617430b389..95d6d510555 100644
--- a/nixos/tests/nebula.nix
+++ b/nixos/tests/nebula.nix
@@ -37,6 +37,7 @@ in
 
         services.nebula.networks.smoke = {
           isLighthouse = true;
+          isRelay = true;
           firewall = {
             outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
             inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
@@ -55,6 +56,7 @@ in
           staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
           isLighthouse = false;
           lighthouses = [ "10.0.100.1" ];
+          relays = [ "10.0.100.1" ];
           firewall = {
             outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
             inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
@@ -73,6 +75,7 @@ in
           staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
           isLighthouse = false;
           lighthouses = [ "10.0.100.1" ];
+          relays = [ "10.0.100.1" ];
           firewall = {
             outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
             inbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
@@ -92,6 +95,7 @@ in
           staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
           isLighthouse = false;
           lighthouses = [ "10.0.100.1" ];
+          relays = [ "10.0.100.1" ];
           firewall = {
             outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
             inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
@@ -111,6 +115,7 @@ in
           staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
           isLighthouse = false;
           lighthouses = [ "10.0.100.1" ];
+          relays = [ "10.0.100.1" ];
           firewall = {
             outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
             inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
@@ -159,6 +164,28 @@ in
       )
     '';
 
+    getPublicIp = node: ''
+      ${node}.succeed("ip --brief addr show eth1 | awk '{print $3}' | tail -n1 | cut -d/ -f1").strip()
+    '';
+
+    # Never do this for anything security critical! (Thankfully it's just a test.)
+    # Restart Nebula right after the mutual block and/or restore so the state is fresh.
+    blockTrafficBetween = nodeA: nodeB: ''
+      node_a = ${getPublicIp nodeA}
+      node_b = ${getPublicIp nodeB}
+      ${nodeA}.succeed("iptables -I INPUT -s " + node_b + " -j DROP")
+      ${nodeB}.succeed("iptables -I INPUT -s " + node_a + " -j DROP")
+      ${nodeA}.systemctl("restart nebula@smoke.service")
+      ${nodeB}.systemctl("restart nebula@smoke.service")
+    '';
+    allowTrafficBetween = nodeA: nodeB: ''
+      node_a = ${getPublicIp nodeA}
+      node_b = ${getPublicIp nodeB}
+      ${nodeA}.succeed("iptables -D INPUT -s " + node_b + " -j DROP")
+      ${nodeB}.succeed("iptables -D INPUT -s " + node_a + " -j DROP")
+      ${nodeA}.systemctl("restart nebula@smoke.service")
+      ${nodeB}.systemctl("restart nebula@smoke.service")
+    '';
   in ''
     # Create the certificate and sign the lighthouse's keys.
     ${setUpPrivateKey "lighthouse"}
@@ -210,6 +237,12 @@ in
     node3.succeed("ping -c3 10.0.100.1")
     node3.succeed("ping -c3 10.0.100.2")
 
+    # block node3 <-> node2, and node3 -> node2 should still work.
+    ${blockTrafficBetween "node3" "node2"}
+    node3.succeed("ping -c10 10.0.100.2")
+    ${allowTrafficBetween "node3" "node2"}
+    node3.succeed("ping -c10 10.0.100.2")
+
     # node4 can ping the lighthouse but not node2 or node3
     node4.succeed("ping -c3 10.0.100.1")
     node4.fail("ping -c3 10.0.100.2")
@@ -217,8 +250,57 @@ in
 
     # node2 can ping node3 now that node3 pinged it first
     node2.succeed("ping -c3 10.0.100.3")
+
+    # block node2 <-> node3, and node2 -> node3 should still work.
+    ${blockTrafficBetween "node2" "node3"}
+    node3.succeed("ping -c10 10.0.100.2")
+    node2.succeed("ping -c10 10.0.100.3")
+    ${allowTrafficBetween "node2" "node3"}
+    node3.succeed("ping -c10 10.0.100.2")
+    node2.succeed("ping -c10 10.0.100.3")
+
     # node4 can ping node2 if node2 pings it first
     node2.succeed("ping -c3 10.0.100.4")
     node4.succeed("ping -c3 10.0.100.2")
+
+    # block node4 <-> node2, and node2 <-> node4 should still work.
+    ${blockTrafficBetween "node2" "node4"}
+    node2.succeed("ping -c10 10.0.100.4")
+    node4.succeed("ping -c10 10.0.100.2")
+    ${allowTrafficBetween "node2" "node4"}
+    node2.succeed("ping -c10 10.0.100.4")
+    node4.succeed("ping -c10 10.0.100.2")
+
+    # block lighthouse <-> node3 and node2 <-> node3; node3 won't get to node2
+    ${blockTrafficBetween "node3" "lighthouse"}
+    ${blockTrafficBetween "node3" "node2"}
+    node3.fail("ping -c3 10.0.100.2")
+    ${allowTrafficBetween "node3" "lighthouse"}
+    ${allowTrafficBetween "node3" "node2"}
+    node3.succeed("ping -c3 10.0.100.2")
+
+    # block lighthouse <-> node2, node2 <-> node3, and node2 <-> node4; it won't get to node3 or node4
+    ${blockTrafficBetween "node2" "lighthouse"}
+    ${blockTrafficBetween "node2" "node3"}
+    ${blockTrafficBetween "node2" "node4"}
+    node3.fail("ping -c3 10.0.100.2")
+    node2.fail("ping -c3 10.0.100.3")
+    node2.fail("ping -c3 10.0.100.4")
+    ${allowTrafficBetween "node2" "lighthouse"}
+    ${allowTrafficBetween "node2" "node3"}
+    ${allowTrafficBetween "node2" "node4"}
+    node3.succeed("ping -c3 10.0.100.2")
+    node2.succeed("ping -c3 10.0.100.3")
+    node2.succeed("ping -c3 10.0.100.4")
+
+    # block lighthouse <-> node4 and node4 <-> node2; it won't get to node2
+    ${blockTrafficBetween "node4" "lighthouse"}
+    ${blockTrafficBetween "node4" "node2"}
+    node2.fail("ping -c3 10.0.100.4")
+    node4.fail("ping -c3 10.0.100.2")
+    ${allowTrafficBetween "node4" "lighthouse"}
+    ${allowTrafficBetween "node4" "node2"}
+    node2.succeed("ping -c3 10.0.100.4")
+    node4.succeed("ping -c3 10.0.100.2")
   '';
 })
diff --git a/pkgs/tools/networking/nebula/default.nix b/pkgs/tools/networking/nebula/default.nix
index bd99c16be4f..6f4483cd728 100644
--- a/pkgs/tools/networking/nebula/default.nix
+++ b/pkgs/tools/networking/nebula/default.nix
@@ -17,7 +17,9 @@ buildGoModule rec {
 
   ldflags = [ "-X main.Build=${version}" ];
 
-  passthru.tests.nebula = nixosTests.nebula;
+  passthru.tests = {
+    inherit (nixosTests) nebula;
+  };
 
   meta = with lib; {
     description = "A scalable overlay networking tool with a focus on performance, simplicity and security";

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-16 20:18:06 +0000