diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-10 13:28:20 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-10 13:28:20 +0200 |
commit | 5c1f8cbc70cd5e6867ef6a2a06d27a40daa07010 (patch) | |
tree | a6c0f605be6de3f372ae69905b331f9f75452da7 /nixos/tests/firewall.nix | |
parent | 6070bc016bd2fd945b04347e25cfd3738622d2ac (diff) |
Move all of NixOS to nixos/ in preparation of the repository merge
Diffstat (limited to 'nixos/tests/firewall.nix')
-rw-r--r-- | nixos/tests/firewall.nix | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/nixos/tests/firewall.nix b/nixos/tests/firewall.nix new file mode 100644 index 000000000000..de32b98e5d2f --- /dev/null +++ b/nixos/tests/firewall.nix @@ -0,0 +1,48 @@ +# Test the firewall module. + +{ pkgs, ... }: + +{ + + nodes = + { walled = + { config, pkgs, nodes, ... }: + { networking.firewall.enable = true; + networking.firewall.logRefusedPackets = true; + services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + }; + + attacker = + { config, pkgs, ... }: + { services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + }; + }; + + testScript = + { nodes, ... }: + '' + startAll; + + $walled->waitForUnit("firewall"); + $walled->waitForUnit("httpd"); + $attacker->waitForUnit("network.target"); + + # Local connections should still work. + $walled->succeed("curl -v http://localhost/ >&2"); + + # Connections to the firewalled machine should fail. + $attacker->fail("curl -v http://walled/ >&2"); + $attacker->fail("ping -c 1 walled >&2"); + + # Outgoing connections/pings should still work. + $walled->succeed("curl -v http://attacker/ >&2"); + $walled->succeed("ping -c 1 attacker >&2"); + + # If we stop the firewall, then connections should succeed. + $walled->stopJob("firewall"); + $attacker->succeed("curl -v http://walled/ >&2"); + ''; + +} |