mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-22 15:03:28 +00:00
nixos/networkd: test routingPolicyRules with a nixos vm test
This commit is contained in:
parent
611d765b76
commit
9897d83f58
@ -67,7 +67,12 @@ let
|
||||
(assertOnlyFields [
|
||||
"PrivateKeyFile" "ListenPort" "FwMark"
|
||||
])
|
||||
(assertRange "FwMark" 1 4294967295)
|
||||
# The following check won't work on nix <= 2.2
|
||||
# see https://github.com/NixOS/nix/pull/2378
|
||||
#
|
||||
# Add this again when we'll have drop the
|
||||
# nix < 2.2 support.
|
||||
# (assertRange "FwMark" 1 4294967295)
|
||||
];
|
||||
|
||||
# NOTE The PresharedKey directive is missing on purpose here, please
|
||||
@ -181,7 +186,12 @@ let
|
||||
(assertOnlyFields [
|
||||
"InterfaceId" "Independent"
|
||||
])
|
||||
(assertRange "InterfaceId" 1 4294967295)
|
||||
# The following check won't work on nix <= 2.2
|
||||
# see https://github.com/NixOS/nix/pull/2378
|
||||
#
|
||||
# Add this again when we'll have drop the
|
||||
# nix < 2.2 support.
|
||||
# (assertRange "InterfaceId" 1 4294967295)
|
||||
(assertValueOneOf "Independent" boolValues)
|
||||
];
|
||||
|
||||
@ -242,7 +252,12 @@ let
|
||||
"IPProtocol" "InvertRule" "Family"
|
||||
])
|
||||
(assertRange "TypeOfService" 0 255)
|
||||
(assertRange "FirewallMark" 1 4294967295)
|
||||
# The following check won't work on nix <= 2.2
|
||||
# see https://github.com/NixOS/nix/pull/2378
|
||||
#
|
||||
# Add this again when we'll have drop the
|
||||
# nix < 2.2 support.
|
||||
# (assertRange "FirewallMark" 1 4294967295)
|
||||
(assertInt "Priority")
|
||||
(assertPort "SourcePort")
|
||||
(assertPort "DestinationPort")
|
||||
@ -554,7 +569,7 @@ let
|
||||
options = {
|
||||
routingPolicyRuleConfig = mkOption {
|
||||
default = { };
|
||||
example = { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; } ;};
|
||||
example = { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; } ;};
|
||||
type = types.addCheck (types.attrsOf unitOption) checkRoutingPolicyRule;
|
||||
description = ''
|
||||
Each attribute in this set specifies an option in the
|
||||
|
@ -283,7 +283,7 @@ in
|
||||
systemd-confinement = handleTest ./systemd-confinement.nix {};
|
||||
systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
|
||||
systemd-networkd-vrf = handleTest ./systemd-networkd-vrf.nix {};
|
||||
systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {};
|
||||
systemd-networkd = handleTest ./systemd-networkd.nix {};
|
||||
systemd-nspawn = handleTest ./systemd-nspawn.nix {};
|
||||
pdns-recursor = handleTest ./pdns-recursor.nix {};
|
||||
taskserver = handleTest ./taskserver.nix {};
|
||||
|
@ -41,15 +41,25 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
|
||||
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
|
||||
];
|
||||
};
|
||||
"90-eth1" = {
|
||||
"30-eth1" = {
|
||||
matchConfig = { Name = "eth1"; };
|
||||
address = [ "192.168.1.${nodeId}/24" ];
|
||||
address = [
|
||||
"192.168.1.${nodeId}/24"
|
||||
"fe80::${nodeId}/64"
|
||||
];
|
||||
routingPolicyRules = [
|
||||
{ routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; };}
|
||||
{ routingPolicyRuleConfig = { Table = 20; OutgoingInterface = "eth1"; };}
|
||||
{ routingPolicyRuleConfig = { Table = 30; From = "192.168.1.1"; To = "192.168.1.2"; SourcePort = 666 ; DestinationPort = 667; };}
|
||||
{ routingPolicyRuleConfig = { Table = 40; IPProtocol = "tcp"; InvertRule = true; };}
|
||||
{ routingPolicyRuleConfig = { Table = 50; IncomingInterface = "eth1"; Family = "ipv4"; };}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
in import ./make-test-python.nix ({pkgs, ... }: {
|
||||
name = "networkd-wireguard";
|
||||
name = "networkd";
|
||||
meta = with pkgs.stdenv.lib.maintainers; {
|
||||
maintainers = [ ninjatrappeur ];
|
||||
};
|
||||
@ -76,9 +86,28 @@ testScript = ''
|
||||
start_all()
|
||||
node1.wait_for_unit("systemd-networkd-wait-online.service")
|
||||
node2.wait_for_unit("systemd-networkd-wait-online.service")
|
||||
|
||||
# ================================
|
||||
# Wireguard
|
||||
# ================================
|
||||
node1.succeed("ping -c 5 10.0.0.2")
|
||||
node2.succeed("ping -c 5 10.0.0.1")
|
||||
# Is the fwmark set?
|
||||
node2.succeed("wg | grep -q 42")
|
||||
|
||||
# ================================
|
||||
# Routing Policies
|
||||
# ================================
|
||||
# Testing all the routingPolicyRuleConfig members:
|
||||
# Table + IncomingInterface
|
||||
node1.succeed("sudo ip rule | grep 'from all iif eth1 lookup 10'")
|
||||
# OutgoingInterface
|
||||
node1.succeed("sudo ip rule | grep 'from all oif eth1 lookup 20'")
|
||||
# From + To + SourcePort + DestinationPort
|
||||
node1.succeed(
|
||||
"sudo ip rule | grep 'from 192.168.1.1 to 192.168.1.2 sport 666 dport 667 lookup 30'"
|
||||
)
|
||||
# IPProtocol + InvertRule
|
||||
node1.succeed("sudo ip rule | grep 'not from all ipproto tcp lookup 40'")
|
||||
'';
|
||||
})
|
Loading…
Reference in New Issue
Block a user