Permalink
Switch branches/tags
v206 v192 release-16.03-start last-glibc-2.13 black@2016-05-13 binary backups/0.12-release@15293 backups/0.11-release@9315 backups/0.10-release@6725 backups/0.9-release@4651 backups/0.8-release@2530 backups/0.7-release@2398 backups/0.6-release@1775 backups/0.5.1-release@996 backups/0.5-stable@34171 backups/0.5-release@989 backups/xorg-7.5@18179 backups/x86_64-darwin@34171 backups/x-updates@26704 backups/x-updates@22736 backups/usability@34170 backups/udev-173@28837 backups/stdenv-updates@34093 backups/stdenv-updates@32824 backups/stdenv-updates@19858 backups/stdenv-updates@18281 backups/stdenv-updates@15332 backups/stdenv-updates@12144 backups/stdenv-updates@10965 backups/stdenv-updates2@18282 backups/stdenv-updates2@18273 backups/stdenv-updates-merge@10849 backups/stdenv-bootstrap-20100825@23426 backups/stdenv-ada@26758 backups/pure-python@34174 backups/parallel-building-merger@34171 backups/one-click@2549 backups/nixos-pkgs@34170 backups/multitask-builds@34175 backups/multiple-outputs-sandbox@34172 backups/modular-python@26697 backups/master@10848 backups/master@59 backups/mass-update-01@31456 backups/martin@828 backups/martin2@34171 backups/logistics@34171 backups/libpng15@32782 backups/kmod-no-lib-modules@34172 backups/kmod-MODULE_DIR@33576 backups/kernel-config@19023 backups/kde-4.7@34170 backups/glib-2.30@32938 backups/glib-2.30-take2@33502 backups/freebsd-losser@34171 backups/drop-kde4.5@30929 backups/darwin-without-xcode@34172 backups/darwin-updates@34176 backups/cve-2010-3856@34170 backups/armv5tel-linux@18007 18.09 18.09-beta 18.03 18.03-beta 17.09 17.09-beta 17.03 17.03-beta 16.09 16.09-beta 16.03 16.03-beta 15.09 15.09-beta 0.14 0.13 0.12 0.11 0.10 0.9 0.8 0.7 0.6 0.5.1 0.5 0.4 0.3 0.2 0.1
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
118 lines (104 sloc) 4.4 KB
# This is a simple distributed test involving a topology with two
# separate virtual networks - the "inside" and the "outside" - with a
# client on the inside network, a server on the outside network, and a
# router connected to both that performs Network Address Translation
# for the client.
import ./make-test.nix ({ pkgs, lib, withFirewall, withConntrackHelpers ? false, ... }:
let
unit = if withFirewall then "firewall" else "nat";
routerBase =
lib.mkMerge [
{ virtualisation.vlans = [ 2 1 ];
networking.firewall.enable = withFirewall;
networking.nat.internalIPs = [ "192.168.1.0/24" ];
networking.nat.externalInterface = "eth1";
}
(lib.optionalAttrs withConntrackHelpers {
networking.firewall.connectionTrackingModules = [ "ftp" ];
networking.firewall.autoLoadConntrackHelpers = true;
})
];
in
{
name = "nat" + (if withFirewall then "WithFirewall" else "Standalone")
+ (lib.optionalString withConntrackHelpers "withConntrackHelpers");
meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ eelco chaoflow rob wkennington ];
};
nodes =
{ client =
{ pkgs, nodes, ... }:
lib.mkMerge [
{ virtualisation.vlans = [ 1 ];
networking.defaultGateway =
(pkgs.lib.head nodes.router.config.networking.interfaces.eth2.ipv4.addresses).address;
}
(lib.optionalAttrs withConntrackHelpers {
networking.firewall.connectionTrackingModules = [ "ftp" ];
networking.firewall.autoLoadConntrackHelpers = true;
})
];
router =
{ ... }: lib.mkMerge [
routerBase
{ networking.nat.enable = true; }
];
routerDummyNoNat =
{ ... }: lib.mkMerge [
routerBase
{ networking.nat.enable = false; }
];
server =
{ ... }:
{ virtualisation.vlans = [ 2 ];
networking.firewall.enable = false;
services.httpd.enable = true;
services.httpd.adminAddr = "foo@example.org";
services.vsftpd.enable = true;
services.vsftpd.anonymousUser = true;
};
};
testScript =
{ nodes, ... }: let
routerDummyNoNatClosure = nodes.routerDummyNoNat.config.system.build.toplevel;
routerClosure = nodes.router.config.system.build.toplevel;
in ''
$client->start;
$router->start;
$server->start;
# The router should have access to the server.
$server->waitForUnit("network.target");
$server->waitForUnit("httpd");
$router->waitForUnit("network.target");
$router->succeed("curl --fail http://server/ >&2");
# The client should be also able to connect via the NAT router.
$router->waitForUnit("${unit}");
$client->waitForUnit("network.target");
$client->succeed("curl --fail http://server/ >&2");
$client->succeed("ping -c 1 server >&2");
# Test whether passive FTP works.
$server->waitForUnit("vsftpd");
$server->succeed("echo Hello World > /home/ftp/foo.txt");
$client->succeed("curl -v ftp://server/foo.txt >&2");
# Test whether active FTP works.
$client->${if withConntrackHelpers then "succeed" else "fail"}(
"curl -v -P - ftp://server/foo.txt >&2");
# Test ICMP.
$client->succeed("ping -c 1 router >&2");
$router->succeed("ping -c 1 client >&2");
# If we turn off NAT, the client shouldn't be able to reach the server.
$router->succeed("${routerDummyNoNatClosure}/bin/switch-to-configuration test 2>&1");
$client->fail("curl --fail --connect-timeout 5 http://server/ >&2");
$client->fail("ping -c 1 server >&2");
# And make sure that reloading the NAT job works.
$router->succeed("${routerClosure}/bin/switch-to-configuration test 2>&1");
# FIXME: this should not be necessary, but nat.service is not started because
# network.target is not triggered
# (https://github.com/NixOS/nixpkgs/issues/16230#issuecomment-226408359)
${lib.optionalString (!withFirewall) ''
$router->succeed("systemctl start nat.service");
''}
$client->succeed("curl --fail http://server/ >&2");
$client->succeed("ping -c 1 server >&2");
'';
})