Merge pull request #4121 from wkennington/master.nat

nixos/nat: Don't flush tables, create subchains for autogenerated rules
2014-09-18 16:30:42 -07:00 · 2014-09-18 16:30:42 -07:00 · 1ff027b304
commit 1ff027b304
parent 05c02b06f7 8250059a9f
4 changed files with 90 additions and 73 deletions
--- a/nixos/modules/services/networking/nat.nix
+++ b/nixos/modules/services/networking/nat.nix
@ -13,38 +13,49 @@ let
  dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";
  flushNat = ''
-    iptables -w -t nat -F PREROUTING
+    iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true
-    iptables -w -t nat -F POSTROUTING
+    iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true
-    iptables -w -t nat -X
+    iptables -w -t nat -X nixos-nat-pre 2>/dev/null || true
    iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true
    iptables -w -t nat -F nixos-nat-post 2>/dev/null || true
    iptables -w -t nat -X nixos-nat-post 2>/dev/null || true
  '';
  setupNat = ''
    # Create subchain where we store rules
    iptables -w -t nat -N nixos-nat-pre
    iptables -w -t nat -N nixos-nat-post
    # We can't match on incoming interface in POSTROUTING, so
    # mark packets coming from the external interfaces.
    ${concatMapStrings (iface: ''
-      iptables -w -t nat -A PREROUTING \
+      iptables -w -t nat -A nixos-nat-pre \
        -i '${iface}' -j MARK --set-mark 1
    '') cfg.internalInterfaces}
    # NAT the marked packets.
    ${optionalString (cfg.internalInterfaces != []) ''
-      iptables -w -t nat -A POSTROUTING -m mark --mark 1 \
+      iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \
        -o ${cfg.externalInterface} ${dest}
    ''}
    # NAT packets coming from the internal IPs.
    ${concatMapStrings (range: ''
-      iptables -w -t nat -A POSTROUTING \
+      iptables -w -t nat -A nixos-nat-post \
        -s '${range}' -o ${cfg.externalInterface} ${dest}
    '') cfg.internalIPs}
    # NAT from external ports to internal ports.
    ${concatMapStrings (fwd: ''
-      iptables -w -t nat -A PREROUTING \
+      iptables -w -t nat -A nixos-nat-pre \
        -i ${cfg.externalInterface} -p tcp \
        --dport ${builtins.toString fwd.sourcePort} \
        -j DNAT --to-destination ${fwd.destination}
    '') cfg.forwardPorts}
    # Append our chains to the nat tables
    iptables -w -t nat -A PREROUTING -j nixos-nat-pre
    iptables -w -t nat -A POSTROUTING -j nixos-nat-post
  '';
 in
@ -157,7 +168,7 @@ in
      extraStopCommands = flushNat;
    };
-    systemd.services =  mkIf (!config.networking.firewall.enable) { nat = {
+    systemd.services = mkIf (!config.networking.firewall.enable) { nat = {
      description = "Network Address Translation";
      wantedBy = [ "network.target" ];
      after = [ "network-interfaces.target" "systemd-modules-load.service" ];
--- a/nixos/release-combined.nix
+++ b/nixos/release-combined.nix
@ -61,7 +61,8 @@ in rec {
        (all nixos.tests.kde4)
        (all nixos.tests.login)
        (all nixos.tests.misc)
-        (all nixos.tests.nat)
+        (all nixos.tests.nat.firewall)
        (all nixos.tests.nat.standalone)
        (all nixos.tests.nfs3)
        (all nixos.tests.openssh)
        (all nixos.tests.printing)
--- a/nixos/release.nix
+++ b/nixos/release.nix
@ -244,7 +244,8 @@ in rec {
  tests.munin = callTest tests/munin.nix {};
  tests.mysql = callTest tests/mysql.nix {};
  tests.mysqlReplication = callTest tests/mysql-replication.nix {};
-  tests.nat = callTest tests/nat.nix {};
+  tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
  tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; };
  tests.nfs3 = callTest tests/nfs.nix { version = 3; };
  tests.nsd = callTest tests/nsd.nix {};
  tests.openssh = callTest tests/openssh.nix {};
--- a/nixos/tests/nat.nix
+++ b/nixos/tests/nat.nix
@ -3,77 +3,81 @@
 # client on the inside network, a server on the outside network, and a
 # router connected to both that performs Network Address Translation
 # for the client.
 import ./make-test.nix ({ withFirewall, ... }:
  let
    unit = if withFirewall then "firewall" else "nat";
  in
  {
    name = "nat${if withFirewall then "WithFirewall" else "Standalone"}";
-import ./make-test.nix {
+    nodes =
-  name = "nat";
+      { client =
          { config, pkgs, nodes, ... }:
          { virtualisation.vlans = [ 1 ];
            networking.firewall.allowPing = true;
            networking.defaultGateway =
              (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
          };
-  nodes =
+        router =
-    { client =
+          { config, pkgs, ... }:
-        { config, pkgs, nodes, ... }:
+          { virtualisation.vlans = [ 2 1 ];
-        { virtualisation.vlans = [ 1 ];
+            networking.firewall.enable = withFirewall;
-          networking.firewall.allowPing = true;
+            networking.firewall.allowPing = true;
-          networking.defaultGateway =
+            networking.nat.enable = true;
-            (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
+            networking.nat.internalIPs = [ "192.168.1.0/24" ];
-        };
+            networking.nat.externalInterface = "eth1";
          };
-      router =
+        server =
-        { config, pkgs, ... }:
+          { config, pkgs, ... }:
-        { virtualisation.vlans = [ 2 1 ];
+          { virtualisation.vlans = [ 2 ];
-          networking.firewall.allowPing = true;
+            networking.firewall.enable = false;
-          networking.nat.enable = true;
+            services.httpd.enable = true;
-          networking.nat.internalIPs = [ "192.168.1.0/24" ];
+            services.httpd.adminAddr = "foo@example.org";
-          networking.nat.externalInterface = "eth1";
+            services.vsftpd.enable = true;
-        };
+            services.vsftpd.anonymousUser = true;
          };
      };
-      server =
+    testScript =
-        { config, pkgs, ... }:
+      { nodes, ... }:
-        { virtualisation.vlans = [ 2 ];
+      ''
-          networking.firewall.enable = false;
+        startAll;
          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
          services.vsftpd.enable = true;
          services.vsftpd.anonymousUser = true;
        };
    };
-  testScript =
+        # The router should have access to the server.
-    { nodes, ... }:
+        $server->waitForUnit("network.target");
-    ''
+        $server->waitForUnit("httpd");
-      startAll;
+        $router->waitForUnit("network.target");
        $router->succeed("curl --fail http://server/ >&2");
-      # The router should have access to the server.
+        # The client should be also able to connect via the NAT router.
-      $server->waitForUnit("network.target");
+        $router->waitForUnit("${unit}");
-      $server->waitForUnit("httpd");
+        $client->waitForUnit("network.target");
-      $router->waitForUnit("network.target");
+        $client->succeed("curl --fail http://server/ >&2");
-      $router->succeed("curl --fail http://server/ >&2");
+        $client->succeed("ping -c 1 server >&2");
-      # The client should be also able to connect via the NAT router.
+        # Test whether passive FTP works.
-      $router->waitForUnit("nat");
+        $server->waitForUnit("vsftpd");
-      $client->waitForUnit("network.target");
+        $server->succeed("echo Hello World > /home/ftp/foo.txt");
-      $client->succeed("curl --fail http://server/ >&2");
+        $client->succeed("curl -v ftp://server/foo.txt >&2");
      $client->succeed("ping -c 1 server >&2");
-      # Test whether passive FTP works.
+        # Test whether active FTP works.
-      $server->waitForUnit("vsftpd");
+        $client->succeed("curl -v -P - ftp://server/foo.txt >&2");
      $server->succeed("echo Hello World > /home/ftp/foo.txt");
      $client->succeed("curl -v ftp://server/foo.txt >&2");
-      # Test whether active FTP works.
+        # Test ICMP.
-      $client->succeed("curl -v -P - ftp://server/foo.txt >&2");
+        $client->succeed("ping -c 1 router >&2");
        $router->succeed("ping -c 1 client >&2");
-      # Test ICMP.
+        # If we turn off NAT, the client shouldn't be able to reach the server.
-      $client->succeed("ping -c 1 router >&2");
+        $router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre");
-      $router->succeed("ping -c 1 client >&2");
+        $router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post");
        $client->fail("curl --fail --connect-timeout 5 http://server/ >&2");
        $client->fail("ping -c 1 server >&2");
-      # If we turn off NAT, the client shouldn't be able to reach the server.
+        # And make sure that reloading the NAT job works.
-      $router->stopJob("nat");
+        $router->succeed("systemctl restart ${unit}");
-      $client->fail("curl --fail --connect-timeout 5 http://server/ >&2");
+        $client->succeed("curl --fail http://server/ >&2");
-      $client->fail("ping -c 1 server >&2");
+        $client->succeed("ping -c 1 server >&2");
-
+      '';
-      # And make sure that restarting the NAT job works.
+  })
      $router->succeed("systemctl start nat");
      $client->succeed("curl --fail http://server/ >&2");
      $client->succeed("ping -c 1 server >&2");
    '';
 }