diff options
Diffstat (limited to 'nixos/tests/nat.nix')
-rw-r--r-- | nixos/tests/nat.nix | 130 |
1 files changed, 67 insertions, 63 deletions
diff --git a/nixos/tests/nat.nix b/nixos/tests/nat.nix index 5fdcc0e97ca..c4d2614f785 100644 --- a/nixos/tests/nat.nix +++ b/nixos/tests/nat.nix @@ -3,77 +3,81 @@ # client on the inside network, a server on the outside network, and a # router connected to both that performs Network Address Translation # for the client. +import ./make-test.nix ({ withFirewall, ... }: + let + unit = if withFirewall then "firewall" else "nat"; + in + { + name = "nat${if withFirewall then "WithFirewall" else "Standalone"}"; -import ./make-test.nix { - name = "nat"; + nodes = + { client = + { config, pkgs, nodes, ... }: + { virtualisation.vlans = [ 1 ]; + networking.firewall.allowPing = true; + networking.defaultGateway = + (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address; + }; - nodes = - { client = - { config, pkgs, nodes, ... }: - { virtualisation.vlans = [ 1 ]; - networking.firewall.allowPing = true; - networking.defaultGateway = - nodes.router.config.networking.interfaces.eth2.ipAddress; - }; + router = + { config, pkgs, ... }: + { virtualisation.vlans = [ 2 1 ]; + networking.firewall.enable = withFirewall; + networking.firewall.allowPing = true; + networking.nat.enable = true; + networking.nat.internalIPs = [ "192.168.1.0/24" ]; + networking.nat.externalInterface = "eth1"; + }; - router = - { config, pkgs, ... }: - { virtualisation.vlans = [ 2 1 ]; - networking.firewall.allowPing = true; - networking.nat.enable = true; - networking.nat.internalIPs = [ "192.168.1.0/24" ]; - networking.nat.externalInterface = "eth1"; - }; + server = + { config, pkgs, ... }: + { virtualisation.vlans = [ 2 ]; + networking.firewall.enable = false; + services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + services.vsftpd.enable = true; + services.vsftpd.anonymousUser = true; + }; + }; - server = - { config, pkgs, ... }: - { virtualisation.vlans = [ 2 ]; - networking.firewall.enable = false; - services.httpd.enable = true; - services.httpd.adminAddr = "foo@example.org"; - services.vsftpd.enable = true; - services.vsftpd.anonymousUser = true; - }; - }; + testScript = + { nodes, ... }: + '' + startAll; - testScript = - { nodes, ... }: - '' - startAll; + # The router should have access to the server. + $server->waitForUnit("network.target"); + $server->waitForUnit("httpd"); + $router->waitForUnit("network.target"); + $router->succeed("curl --fail http://server/ >&2"); - # The router should have access to the server. - $server->waitForUnit("network.target"); - $server->waitForUnit("httpd"); - $router->waitForUnit("network.target"); - $router->succeed("curl --fail http://server/ >&2"); + # The client should be also able to connect via the NAT router. + $router->waitForUnit("${unit}"); + $client->waitForUnit("network.target"); + $client->succeed("curl --fail http://server/ >&2"); + $client->succeed("ping -c 1 server >&2"); - # The client should be also able to connect via the NAT router. - $router->waitForUnit("nat"); - $client->waitForUnit("network.target"); - $client->succeed("curl --fail http://server/ >&2"); - $client->succeed("ping -c 1 server >&2"); + # Test whether passive FTP works. + $server->waitForUnit("vsftpd"); + $server->succeed("echo Hello World > /home/ftp/foo.txt"); + $client->succeed("curl -v ftp://server/foo.txt >&2"); - # Test whether passive FTP works. - $server->waitForUnit("vsftpd"); - $server->succeed("echo Hello World > /home/ftp/foo.txt"); - $client->succeed("curl -v ftp://server/foo.txt >&2"); + # Test whether active FTP works. + $client->succeed("curl -v -P - ftp://server/foo.txt >&2"); - # Test whether active FTP works. - $client->succeed("curl -v -P - ftp://server/foo.txt >&2"); + # Test ICMP. + $client->succeed("ping -c 1 router >&2"); + $router->succeed("ping -c 1 client >&2"); - # Test ICMP. - $client->succeed("ping -c 1 router >&2"); - $router->succeed("ping -c 1 client >&2"); + # If we turn off NAT, the client shouldn't be able to reach the server. + $router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre"); + $router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post"); + $client->fail("curl --fail --connect-timeout 5 http://server/ >&2"); + $client->fail("ping -c 1 server >&2"); - # If we turn off NAT, the client shouldn't be able to reach the server. - $router->stopJob("nat"); - $client->fail("curl --fail --connect-timeout 5 http://server/ >&2"); - $client->fail("ping -c 1 server >&2"); - - # And make sure that restarting the NAT job works. - $router->succeed("systemctl start nat"); - $client->succeed("curl --fail http://server/ >&2"); - $client->succeed("ping -c 1 server >&2"); - ''; - -} + # And make sure that reloading the NAT job works. + $router->succeed("systemctl restart ${unit}"); + $client->succeed("curl --fail http://server/ >&2"); + $client->succeed("ping -c 1 server >&2"); + ''; + }) |