[Nix-commits] SVN commit: nix - r26276 - in nixos/trunk: modules/testing tests

[Eelco Dolstra]

Author: eelco
Date: Fri Mar 11 13:38:52 2011
New Revision: 26276
URL: https://svn.nixos.org/websvn/nix/?rev=26276&sc=1

Log:
* Add a test for the firewall.

Added:
   nixos/trunk/tests/firewall.nix
Modified:
   nixos/trunk/modules/testing/test-instrumentation.nix
   nixos/trunk/tests/default.nix

Modified: nixos/trunk/modules/testing/test-instrumentation.nix
==============================================================================
--- nixos/trunk/modules/testing/test-instrumentation.nix        Fri Mar 11 
13:34:17 2011        (r26275)
+++ nixos/trunk/modules/testing/test-instrumentation.nix        Fri Mar 11 
13:38:52 2011        (r26276)
@@ -24,7 +24,10 @@
   config = {
 
     jobs.backdoor =
-      { startOn = "ip-up";
+      { # If the firewall is enabled, this job must start *after* the
+        # firewall, otherwise connection tracking won't know about
+        # this connection.
+        startOn = if config.networking.firewall.enable then "started firewall" 
else "ip-up";
         stopOn = "never";
         
         script =

Modified: nixos/trunk/tests/default.nix
==============================================================================
--- nixos/trunk/tests/default.nix       Fri Mar 11 13:34:17 2011        (r26275)
+++ nixos/trunk/tests/default.nix       Fri Mar 11 13:38:52 2011        (r26276)
@@ -9,6 +9,7 @@
   avahi = makeTest (import ./avahi.nix);
   bittorrent = makeTest (import ./bittorrent.nix);
   firefox = makeTest (import ./firefox.nix);
+  firewall = makeTest (import ./firewall.nix);
   installer = makeTests (import ./installer.nix);
   ipv6 = makeTest (import ./ipv6.nix);
   kde4 = makeTest (import ./kde4.nix);

Added: nixos/trunk/tests/firewall.nix
==============================================================================
--- /dev/null   00:00:00 1970   (empty, because file is newly added)
+++ nixos/trunk/tests/firewall.nix      Fri Mar 11 13:38:52 2011        (r26276)
@@ -0,0 +1,47 @@
+# Test the firewall module.
+
+{ pkgs, ... }:
+
+{
+
+  nodes =
+    { walled = 
+        { config, pkgs, nodes, ... }:
+        { networking.firewall.enable = true;
+          networking.firewall.logRefusedPackets = true;
+          services.httpd.enable = true;
+          services.httpd.adminAddr = "f...@example.org";
+        };
+
+      attacker = 
+        { config, pkgs, ... }:
+        { services.httpd.enable = true;
+          services.httpd.adminAddr = "f...@example.org";
+        };
+    };
+
+  testScript =
+    { nodes, ... }:
+    ''
+      startAll;
+
+      $walled->waitForJob("firewall");
+      $walled->waitForJob("httpd");
+
+      # Local connections should still work.
+      $walled->succeed("curl -v http://localhost/ >&2");
+
+      # Connections to the firewalled machine should fail.
+      $attacker->fail("curl -v http://walled/ >&2");
+      $attacker->fail("ping -c 1 walled >&2");
+
+      # Outgoing connections/pings should still work.
+      $walled->succeed("curl -v http://attacker/ >&2");
+      $walled->succeed("ping -c 1 attacker >&2");
+
+      # If we stop the firewall, then connections should succeed.
+      $walled->succeed("stop firewall");
+      $attacker->succeed("curl -v http://walled/ >&2");
+    '';
+
+}
_______________________________________________
nix-commits mailing list
nix-comm...@cs.uu.nl
http://mail.cs.uu.nl/mailman/listinfo/nix-commits