diff options
| -rw-r--r-- | nixos/modules/services/networking/firewall.nix | 3 | ||||
| -rw-r--r-- | nixos/tests/firewall.nix | 53 |
2 files changed, 36 insertions, 20 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 4e0d6bef431..942fcc03f59 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -490,7 +490,7 @@ in systemd.services.firewall = { description = "Firewall"; - wantedBy = [ "multi-user.target" "sysinit.target" ]; + wantedBy = [ "sysinit.target" ]; wants = [ "network-pre.target" ]; before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; @@ -501,6 +501,7 @@ in # containers don't have CAP_SYS_MODULE. So the host system had # better have all necessary modules already loaded. unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + unitConfig.DefaultDependencies = false; reloadIfChanged = true; diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix index 8f2cb27b60f..1119a5312eb 100644 --- a/nixos/tests/firewall.nix +++ b/nixos/tests/firewall.nix @@ -15,6 +15,16 @@ import ./make-test.nix ( { pkgs, ... } : { services.httpd.adminAddr = "foo@example.org"; }; + # Dummy configuration to check whether firewall.service will be honored + # during system activation. This only needs to be different to the + # original walled configuration so that there is a change in the service + # file. + walled2 = + { config, pkgs, nodes, ... }: + { networking.firewall.enable = true; + networking.firewall.rejectPackets = true; + }; + attacker = { config, pkgs, ... }: { services.httpd.enable = true; @@ -23,28 +33,33 @@ import ./make-test.nix ( { pkgs, ... } : { }; }; - testScript = - { nodes, ... }: - '' - startAll; + testScript = { nodes, ... }: let + newSystem = nodes.walled2.config.system.build.toplevel; + in '' + $walled->start; + $attacker->start; + + $walled->waitForUnit("firewall"); + $walled->waitForUnit("httpd"); + $attacker->waitForUnit("network.target"); - $walled->waitForUnit("firewall"); - $walled->waitForUnit("httpd"); - $attacker->waitForUnit("network.target"); + # Local connections should still work. + $walled->succeed("curl -v http://localhost/ >&2"); - # Local connections should still work. - $walled->succeed("curl -v http://localhost/ >&2"); + # Connections to the firewalled machine should fail, but ping should succeed. + $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2"); + $attacker->succeed("ping -c 1 walled >&2"); - # Connections to the firewalled machine should fail, but ping should succeed. - $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2"); - $attacker->succeed("ping -c 1 walled >&2"); + # Outgoing connections/pings should still work. + $walled->succeed("curl -v http://attacker/ >&2"); + $walled->succeed("ping -c 1 attacker >&2"); - # Outgoing connections/pings should still work. - $walled->succeed("curl -v http://attacker/ >&2"); - $walled->succeed("ping -c 1 attacker >&2"); + # If we stop the firewall, then connections should succeed. + $walled->stopJob("firewall"); + $attacker->succeed("curl -v http://walled/ >&2"); - # If we stop the firewall, then connections should succeed. - $walled->stopJob("firewall"); - $attacker->succeed("curl -v http://walled/ >&2"); - ''; + # Check whether activation of a new configuration reloads the firewall. + $walled->succeed("${newSystem}/bin/switch-to-configuration test 2>&1" . + " | grep -qF firewall.service"); + ''; }) |