nixpkgs/nixos/tests/nat.nix

# This is a simple distributed test involving a topology with two
# separate virtual networks - the "inside" and the "outside" - with a
# client on the inside network, a server on the outside network, and a
# router connected to both that performs Network Address Translation
# for the client.
import ./make-test.nix ({ withFirewall, ... }:
  let
    unit = if withFirewall then "firewall" else "nat";
  in
  {
    name = "nat${if withFirewall then "WithFirewall" else "Standalone"}";

    nodes =
      { client =
          { config, pkgs, nodes, ... }:
          { virtualisation.vlans = [ 1 ];
            networking.firewall.allowPing = true;
            networking.defaultGateway =
              (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
          };

        router =
          { config, pkgs, ... }:
          { virtualisation.vlans = [ 2 1 ];
            networking.firewall.enable = withFirewall;
            networking.firewall.allowPing = true;
            networking.nat.enable = true;
            networking.nat.internalIPs = [ "192.168.1.0/24" ];
            networking.nat.externalInterface = "eth1";
          };

        server =
          { config, pkgs, ... }:
          { virtualisation.vlans = [ 2 ];
            networking.firewall.enable = false;
            services.httpd.enable = true;
            services.httpd.adminAddr = "foo@example.org";
            services.vsftpd.enable = true;
            services.vsftpd.anonymousUser = true;
          };
      };

    testScript =
      { nodes, ... }:
      ''
        startAll;

        # The router should have access to the server.
        $server->waitForUnit("network.target");
        $server->waitForUnit("httpd");
        $router->waitForUnit("network.target");
        $router->succeed("curl --fail http://server/ >&2");

        # The client should be also able to connect via the NAT router.
        $router->waitForUnit("${unit}");
        $client->waitForUnit("network.target");
        $client->succeed("curl --fail http://server/ >&2");
        $client->succeed("ping -c 1 server >&2");

        # Test whether passive FTP works.
        $server->waitForUnit("vsftpd");
        $server->succeed("echo Hello World > /home/ftp/foo.txt");
        $client->succeed("curl -v ftp://server/foo.txt >&2");

        # Test whether active FTP works.
        $client->succeed("curl -v -P - ftp://server/foo.txt >&2");

        # Test ICMP.
        $client->succeed("ping -c 1 router >&2");
        $router->succeed("ping -c 1 client >&2");

        # If we turn off NAT, the client shouldn't be able to reach the server.
        $router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre");
        $router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post");
        $client->fail("curl --fail --connect-timeout 5 http://server/ >&2");
        $client->fail("ping -c 1 server >&2");

        # And make sure that reloading the NAT job works.
        $router->succeed("systemctl restart ${unit}");
        $client->succeed("curl --fail http://server/ >&2");
        $client->succeed("ping -c 1 server >&2");
      '';
  })
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00			`# This is a simple distributed test involving a topology with two`
			`# separate virtual networks - the "inside" and the "outside" - with a`
			`# client on the inside network, a server on the outside network, and a`
			`# router connected to both that performs Network Address Translation`
			`# for the client.`
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`import ./make-test.nix ({ withFirewall, ... }:`
			`let`
			`unit = if withFirewall then "firewall" else "nat";`
			`in`
			`{`
			`name = "nat${if withFirewall then "WithFirewall" else "Standalone"}";`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`nodes =`
			`{ client =`
			`{ config, pkgs, nodes, ... }:`
			`{ virtualisation.vlans = [ 1 ];`
			`networking.firewall.allowPing = true;`
			`networking.defaultGateway =`
			`(pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;`
			`};`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`router =`
			`{ config, pkgs, ... }:`
			`{ virtualisation.vlans = [ 2 1 ];`
			`networking.firewall.enable = withFirewall;`
			`networking.firewall.allowPing = true;`
			`networking.nat.enable = true;`
			`networking.nat.internalIPs = [ "192.168.1.0/24" ];`
			`networking.nat.externalInterface = "eth1";`
			`};`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`server =`
			`{ config, pkgs, ... }:`
			`{ virtualisation.vlans = [ 2 ];`
			`networking.firewall.enable = false;`
			`services.httpd.enable = true;`
			`services.httpd.adminAddr = "foo@example.org";`
			`services.vsftpd.enable = true;`
			`services.vsftpd.anonymousUser = true;`
			`};`
			`};`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`testScript =`
			`{ nodes, ... }:`
			`''`
			`startAll;`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`# The router should have access to the server.`
			`$server->waitForUnit("network.target");`
			`$server->waitForUnit("httpd");`
			`$router->waitForUnit("network.target");`
			`$router->succeed("curl --fail http://server/ >&2");`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`# The client should be also able to connect via the NAT router.`
			`$router->waitForUnit("${unit}");`
			`$client->waitForUnit("network.target");`
			`$client->succeed("curl --fail http://server/ >&2");`
			`$client->succeed("ping -c 1 server >&2");`
* Add a module for doing Network Address Translation. svn path=/nixos/trunk/; revision=26246 2011-03-10 12:08:39 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`# Test whether passive FTP works.`
			`$server->waitForUnit("vsftpd");`
			`$server->succeed("echo Hello World > /home/ftp/foo.txt");`
			`$client->succeed("curl -v ftp://server/foo.txt >&2");`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`# Test whether active FTP works.`
			`$client->succeed("curl -v -P - ftp://server/foo.txt >&2");`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`# Test ICMP.`
			`$client->succeed("ping -c 1 router >&2");`
			`$router->succeed("ping -c 1 client >&2");`
* NAT module: support active FTP. svn path=/nixos/trunk/; revision=26247 2011-03-10 13:03:47 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`# If we turn off NAT, the client shouldn't be able to reach the server.`
			`$router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre");`
			`$router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post");`
			`$client->fail("curl --fail --connect-timeout 5 http://server/ >&2");`
			`$client->fail("ping -c 1 server >&2");`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
nixos/tests/nat: Add tests for standalone and firewall based nat 2014-09-18 13:34:29 -07:00			`# And make sure that reloading the NAT job works.`
			`$router->succeed("systemctl restart ${unit}");`
			`$client->succeed("curl --fail http://server/ >&2");`
			`$client->succeed("ping -c 1 server >&2");`
			`'';`
			`})`