* Add a test for the firewall.

svn path=/nixos/trunk/; revision=26276
2011-03-11 13:38:52 +00:00 · 2011-03-11 13:38:52 +00:00 · ee4e004cc4
parent 64d871c0d9
commit ee4e004cc4
3 changed files with 52 additions and 1 deletions
--- a/modules/testing/test-instrumentation.nix
+++ b/modules/testing/test-instrumentation.nix
@ -24,7 +24,10 @@ in
  config = {

    jobs.backdoor =
-      { startOn = "ip-up";
+      { # If the firewall is enabled, this job must start *after* the
+        # firewall, otherwise connection tracking won't know about
+        # this connection.
+        startOn = if config.networking.firewall.enable then "started firewall" else "ip-up";
        stopOn = "never";
        
        script =
--- a/tests/default.nix
+++ b/tests/default.nix
@ -9,6 +9,7 @@ with import ../lib/testing.nix { inherit nixpkgs services system; };
  avahi = makeTest (import ./avahi.nix);
  bittorrent = makeTest (import ./bittorrent.nix);
  firefox = makeTest (import ./firefox.nix);
+  firewall = makeTest (import ./firewall.nix);
  installer = makeTests (import ./installer.nix);
  ipv6 = makeTest (import ./ipv6.nix);
  kde4 = makeTest (import ./kde4.nix);
--- a/tests/firewall.nix
+++ b/tests/firewall.nix
@ -0,0 +1,47 @@
+# Test the firewall module.
+
+{ pkgs, ... }:
+
+{
+
+  nodes =
+    { walled = 
+        { config, pkgs, nodes, ... }:
+        { networking.firewall.enable = true;
+          networking.firewall.logRefusedPackets = true;
+          services.httpd.enable = true;
+          services.httpd.adminAddr = "foo@example.org";
+        };
+
+      attacker = 
+        { config, pkgs, ... }:
+        { services.httpd.enable = true;
+          services.httpd.adminAddr = "foo@example.org";
+        };
+    };
+
+  testScript =
+    { nodes, ... }:
+    ''
+      startAll;
+
+      $walled->waitForJob("firewall");
+      $walled->waitForJob("httpd");
+
+      # Local connections should still work.
+      $walled->succeed("curl -v http://localhost/ >&2");
+
+      # Connections to the firewalled machine should fail.
+      $attacker->fail("curl -v http://walled/ >&2");
+      $attacker->fail("ping -c 1 walled >&2");
+
+      # Outgoing connections/pings should still work.
+      $walled->succeed("curl -v http://attacker/ >&2");
+      $walled->succeed("ping -c 1 attacker >&2");
+
+      # If we stop the firewall, then connections should succeed.
+      $walled->succeed("stop firewall");
+      $attacker->succeed("curl -v http://walled/ >&2");
+    '';
+
+}