diff options
author | aszlig <aszlig@redmoonstudios.org> | 2016-09-07 14:18:32 +0200 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2016-09-07 15:11:24 +0200 |
commit | fb46df8a9a4102e265f4b14af48a5df90d5b06c3 (patch) | |
tree | a8c913bd53e61f479752fedcdf5819cacbf0a826 /nixos/tests/firewall.nix | |
parent | 10b335992e3757a06f483248582c4f81ecbcb8d4 (diff) |
nixos: Fix ordering of firewall.service
Follow-up to the following commits:
abdc5961c3cdf9f5893ea1e91ba08ff5089f53a4: Fix starting the firewall
e090701e2d09aec3e8866ab9a8e53c37973ffeb4: Order before sysinit
Solely use sysinit.target here instead of multi-user.target because we
want to make sure that the iptables rules are applied *before* any
socket units are started.
The reason I've dropped the wantedBy on multi-user.target is that
sysinit.target is already a part of the dependency chain of
multi-user.target.
To make sure that this holds true, I've added a small test case to
ensure that during switch of the configuration the firewall.service is
considered as well.
Tested using the firewall NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
Diffstat (limited to 'nixos/tests/firewall.nix')
-rw-r--r-- | nixos/tests/firewall.nix | 53 |
1 files changed, 34 insertions, 19 deletions
diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix index 8f2cb27b60f1..1119a5312eb5 100644 --- a/nixos/tests/firewall.nix +++ b/nixos/tests/firewall.nix @@ -15,6 +15,16 @@ import ./make-test.nix ( { pkgs, ... } : { services.httpd.adminAddr = "foo@example.org"; }; + # Dummy configuration to check whether firewall.service will be honored + # during system activation. This only needs to be different to the + # original walled configuration so that there is a change in the service + # file. + walled2 = + { config, pkgs, nodes, ... }: + { networking.firewall.enable = true; + networking.firewall.rejectPackets = true; + }; + attacker = { config, pkgs, ... }: { services.httpd.enable = true; @@ -23,28 +33,33 @@ import ./make-test.nix ( { pkgs, ... } : { }; }; - testScript = - { nodes, ... }: - '' - startAll; + testScript = { nodes, ... }: let + newSystem = nodes.walled2.config.system.build.toplevel; + in '' + $walled->start; + $attacker->start; + + $walled->waitForUnit("firewall"); + $walled->waitForUnit("httpd"); + $attacker->waitForUnit("network.target"); - $walled->waitForUnit("firewall"); - $walled->waitForUnit("httpd"); - $attacker->waitForUnit("network.target"); + # Local connections should still work. + $walled->succeed("curl -v http://localhost/ >&2"); - # Local connections should still work. - $walled->succeed("curl -v http://localhost/ >&2"); + # Connections to the firewalled machine should fail, but ping should succeed. + $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2"); + $attacker->succeed("ping -c 1 walled >&2"); - # Connections to the firewalled machine should fail, but ping should succeed. - $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2"); - $attacker->succeed("ping -c 1 walled >&2"); + # Outgoing connections/pings should still work. + $walled->succeed("curl -v http://attacker/ >&2"); + $walled->succeed("ping -c 1 attacker >&2"); - # Outgoing connections/pings should still work. - $walled->succeed("curl -v http://attacker/ >&2"); - $walled->succeed("ping -c 1 attacker >&2"); + # If we stop the firewall, then connections should succeed. + $walled->stopJob("firewall"); + $attacker->succeed("curl -v http://walled/ >&2"); - # If we stop the firewall, then connections should succeed. - $walled->stopJob("firewall"); - $attacker->succeed("curl -v http://walled/ >&2"); - ''; + # Check whether activation of a new configuration reloads the firewall. + $walled->succeed("${newSystem}/bin/switch-to-configuration test 2>&1" . + " | grep -qF firewall.service"); + ''; }) |