nixos/tests/nat: Add tests for standalone and firewall based nat

2014-09-18 13:34:29 -07:00 · 2014-09-18 13:34:29 -07:00 · 8250059a9f
commit 8250059a9f
parent b047f2ddec
3 changed files with 71 additions and 66 deletions
--- a/nixos/release-combined.nix
+++ b/nixos/release-combined.nix
@ -61,7 +61,8 @@ in rec {
        (all nixos.tests.kde4)
        (all nixos.tests.login)
        (all nixos.tests.misc)
-        (all nixos.tests.nat)
+        (all nixos.tests.nat.firewall)
        (all nixos.tests.nat.standalone)
        (all nixos.tests.nfs3)
        (all nixos.tests.openssh)
        (all nixos.tests.printing)
--- a/nixos/release.nix
+++ b/nixos/release.nix
@ -244,7 +244,8 @@ in rec {
  tests.munin = callTest tests/munin.nix {};
  tests.mysql = callTest tests/mysql.nix {};
  tests.mysqlReplication = callTest tests/mysql-replication.nix {};
-  tests.nat = callTest tests/nat.nix {};
+  tests.nat.firewall = callTest tests/nat.nix { withFirewall = true; };
  tests.nat.standalone = callTest tests/nat.nix { withFirewall = false; };
  tests.nfs3 = callTest tests/nfs.nix { version = 3; };
  tests.nsd = callTest tests/nsd.nix {};
  tests.openssh = callTest tests/openssh.nix {};
--- a/nixos/tests/nat.nix
+++ b/nixos/tests/nat.nix
@ -3,78 +3,81 @@
 # client on the inside network, a server on the outside network, and a
 # router connected to both that performs Network Address Translation
 # for the client.
 import ./make-test.nix ({ withFirewall, ... }:
  let
    unit = if withFirewall then "firewall" else "nat";
  in
  {
    name = "nat${if withFirewall then "WithFirewall" else "Standalone"}";
-import ./make-test.nix {
+    nodes =
-  name = "nat";
+      { client =
          { config, pkgs, nodes, ... }:
          { virtualisation.vlans = [ 1 ];
            networking.firewall.allowPing = true;
            networking.defaultGateway =
              (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
          };
-  nodes =
+        router =
-    { client =
+          { config, pkgs, ... }:
-        { config, pkgs, nodes, ... }:
+          { virtualisation.vlans = [ 2 1 ];
-        { virtualisation.vlans = [ 1 ];
+            networking.firewall.enable = withFirewall;
-          networking.firewall.allowPing = true;
+            networking.firewall.allowPing = true;
-          networking.defaultGateway =
+            networking.nat.enable = true;
-            (pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ip4).address;
+            networking.nat.internalIPs = [ "192.168.1.0/24" ];
-        };
+            networking.nat.externalInterface = "eth1";
          };
-      router =
+        server =
-        { config, pkgs, ... }:
+          { config, pkgs, ... }:
-        { virtualisation.vlans = [ 2 1 ];
+          { virtualisation.vlans = [ 2 ];
-          networking.firewall.allowPing = true;
+            networking.firewall.enable = false;
-          networking.nat.enable = true;
+            services.httpd.enable = true;
-          networking.nat.internalIPs = [ "192.168.1.0/24" ];
+            services.httpd.adminAddr = "foo@example.org";
-          networking.nat.externalInterface = "eth1";
+            services.vsftpd.enable = true;
-        };
+            services.vsftpd.anonymousUser = true;
          };
      };
-      server =
+    testScript =
-        { config, pkgs, ... }:
+      { nodes, ... }:
-        { virtualisation.vlans = [ 2 ];
+      ''
-          networking.firewall.enable = false;
+        startAll;
          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
          services.vsftpd.enable = true;
          services.vsftpd.anonymousUser = true;
        };
    };
-  testScript =
+        # The router should have access to the server.
-    { nodes, ... }:
+        $server->waitForUnit("network.target");
-    ''
+        $server->waitForUnit("httpd");
-      startAll;
+        $router->waitForUnit("network.target");
        $router->succeed("curl --fail http://server/ >&2");
-      # The router should have access to the server.
+        # The client should be also able to connect via the NAT router.
-      $server->waitForUnit("network.target");
+        $router->waitForUnit("${unit}");
-      $server->waitForUnit("httpd");
+        $client->waitForUnit("network.target");
-      $router->waitForUnit("network.target");
+        $client->succeed("curl --fail http://server/ >&2");
-      $router->succeed("curl --fail http://server/ >&2");
+        $client->succeed("ping -c 1 server >&2");
-      # The client should be also able to connect via the NAT router.
+        # Test whether passive FTP works.
-      $router->waitForUnit("firewall"); # Nat leverages the firewall service
+        $server->waitForUnit("vsftpd");
-      $client->waitForUnit("network.target");
+        $server->succeed("echo Hello World > /home/ftp/foo.txt");
-      $client->succeed("curl --fail http://server/ >&2");
+        $client->succeed("curl -v ftp://server/foo.txt >&2");
      $client->succeed("ping -c 1 server >&2");
-      # Test whether passive FTP works.
+        # Test whether active FTP works.
-      $server->waitForUnit("vsftpd");
+        $client->succeed("curl -v -P - ftp://server/foo.txt >&2");
      $server->succeed("echo Hello World > /home/ftp/foo.txt");
      $client->succeed("curl -v ftp://server/foo.txt >&2");
-      # Test whether active FTP works.
+        # Test ICMP.
-      $client->succeed("curl -v -P - ftp://server/foo.txt >&2");
+        $client->succeed("ping -c 1 router >&2");
        $router->succeed("ping -c 1 client >&2");
-      # Test ICMP.
+        # If we turn off NAT, the client shouldn't be able to reach the server.
-      $client->succeed("ping -c 1 router >&2");
+        $router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre");
-      $router->succeed("ping -c 1 client >&2");
+        $router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post");
        $client->fail("curl --fail --connect-timeout 5 http://server/ >&2");
        $client->fail("ping -c 1 server >&2");
-      # If we turn off NAT, the client shouldn't be able to reach the server.
+        # And make sure that reloading the NAT job works.
-      $router->succeed("iptables -t nat -D PREROUTING -j nixos-nat-pre");
+        $router->succeed("systemctl restart ${unit}");
-      $router->succeed("iptables -t nat -D POSTROUTING -j nixos-nat-post");
+        $client->succeed("curl --fail http://server/ >&2");
-      $client->fail("curl --fail --connect-timeout 5 http://server/ >&2");
+        $client->succeed("ping -c 1 server >&2");
-      $client->fail("ping -c 1 server >&2");
+      '';
-
+  })
      # And make sure that restarting the NAT job works.
      $router->succeed("systemctl reload firewall"); # Nat leverages the firewall service
      $client->succeed("curl --fail http://server/ >&2");
      $client->succeed("ping -c 1 server >&2");
    '';
 }