nixpkgs/tests/nat.nix

# This is a simple distributed test involving a topology with two
# separate virtual networks - the "inside" and the "outside" - with a
# client on the inside network, a server on the outside network, and a
# router connected to both that performs Network Address Translation
# for the client.

{ pkgs, ... }:

{

  nodes =
    { client = 
        { config, pkgs, nodes, ... }:
        { virtualisation.vlans = [ 1 ];
          networking.defaultGateway =
            nodes.router.config.networking.ifaces.eth2.ipAddress;
        };

      router = 
        { config, pkgs, ... }:
        { virtualisation.vlans = [ 2 1 ];
          environment.systemPackages = [ pkgs.iptables ];
        };

      server = 
        { config, pkgs, ... }:
        { virtualisation.vlans = [ 2 ];
          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
        };
    };

  testScript =
    { nodes, ... }:
    ''
      startAll;

      # The router should have access to the server.
      $server->waitForJob("httpd");
      $router->mustSucceed("curl --fail http://server/ >&2");

      # But the client shouldn't be able to reach the server.
      $client->mustFail("curl --fail --connect-timeout 5 http://server/ >&2");

      # Enable NAT on the router.
      $router->mustSucceed(
          "iptables -t nat -F",
          "iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT",
          "iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT "
          . "--to-source ${nodes.router.config.networking.ifaces.eth1.ipAddress}",
          "echo 1 > /proc/sys/net/ipv4/ip_forward"
      );

      # Now the client should be able to connect.
      $client->mustSucceed("curl --fail http://server/ >&2");
    '';

}
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00			`# This is a simple distributed test involving a topology with two`
			`# separate virtual networks - the "inside" and the "outside" - with a`
			`# client on the inside network, a server on the outside network, and a`
			`# router connected to both that performs Network Address Translation`
			`# for the client.`

			`{ pkgs, ... }:`

			`{`

			`nodes =`
			`{ client =`
* Expose networking.interfaces as an attribute set keyed on the interface name through the derived option networking.ifaces. This makes it easier to get information about specific interfaces (e.g. `nodes.router.config.networking.ifaces.eth2.ipAddress'). Really networking.interfaces should be an attribute set. svn path=/nixos/trunk/; revision=21938 2010-05-21 14:12:03 +00:00			`{ config, pkgs, nodes, ... }:`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00			`{ virtualisation.vlans = [ 1 ];`
* Expose networking.interfaces as an attribute set keyed on the interface name through the derived option networking.ifaces. This makes it easier to get information about specific interfaces (e.g. `nodes.router.config.networking.ifaces.eth2.ipAddress'). Really networking.interfaces should be an attribute set. svn path=/nixos/trunk/; revision=21938 2010-05-21 14:12:03 +00:00			`networking.defaultGateway =`
			`nodes.router.config.networking.ifaces.eth2.ipAddress;`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00			`};`

			`router =`
			`{ config, pkgs, ... }:`
			`{ virtualisation.vlans = [ 2 1 ];`
			`environment.systemPackages = [ pkgs.iptables ];`
			`};`

			`server =`
			`{ config, pkgs, ... }:`
			`{ virtualisation.vlans = [ 2 ];`
			`services.httpd.enable = true;`
			`services.httpd.adminAddr = "foo@example.org";`
			`};`
			`};`

			`testScript =`
* Optionally pass the computed `nodes' to the test script as a function argument, so that the test script can refer to computed values such as the assigned IP addresses of the virtual machines. svn path=/nixos/trunk/; revision=21939 2010-05-21 14:31:05 +00:00			`{ nodes, ... }:`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00			`''`
			`startAll;`

			`# The router should have access to the server.`
			`$server->waitForJob("httpd");`
			`$router->mustSucceed("curl --fail http://server/ >&2");`

			`# But the client shouldn't be able to reach the server.`
			`$client->mustFail("curl --fail --connect-timeout 5 http://server/ >&2");`

			`# Enable NAT on the router.`
			`$router->mustSucceed(`
			`"iptables -t nat -F",`
			`"iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT",`
* Optionally pass the computed `nodes' to the test script as a function argument, so that the test script can refer to computed values such as the assigned IP addresses of the virtual machines. svn path=/nixos/trunk/; revision=21939 2010-05-21 14:31:05 +00:00			`"iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT "`
			`. "--to-source ${nodes.router.config.networking.ifaces.eth1.ipAddress}",`
* Allow more complex network topologies in distributed tests. Each machine can now declare an option `virtualisation.vlans' that causes it to have network interfaces connected to each listed virtual network. For instance, virtualisation.vlans = [ 1 2 ]; causes the machine to have two interfaces (in addition to eth0, used by the test driver to control the machine): eth1 connected to network 1 with IP address 192.168.1.<i>, and eth2 connected to network 2 with address 192.168.2.<i> (where <i> is the index of the machine in the `nodes' attribute set). On the other hand, virtualisation.vlans = [ 2 ]; causes the machine to only have an eth1 connected to network 2 with address 192.168.2.<i>. So each virtual network <n> is assigned the IP range 192.168.<n>.0/24. Each virtual network is implemented using a separate multicast address on the host, so guests really cannot talk to networks to which they are not connected. * Added a simple NAT test to demonstrate this. * Added an option `virtualisation.qemu.options' to specify QEMU command-line options. Used to factor out some commonality between the test driver script and the interactive test script. svn path=/nixos/trunk/; revision=21928 2010-05-20 21:07:32 +00:00			`"echo 1 > /proc/sys/net/ipv4/ip_forward"`
			`);`

			`# Now the client should be able to connect.`
			`$client->mustSucceed("curl --fail http://server/ >&2");`
			`'';`

			`}`