nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-22 15:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

nixos/networkd: test routingPolicyRules with a nixos vm test

Browse Source
This commit is contained in:
Félix Baylac-Jacqué 2020-02-29 19:34:48 +01:00
parent 611d765b76
commit 9897d83f58
3 changed files with 52 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
nixos/modules/system/boot/networkd.nix
View File

@ -67,7 +67,12 @@ let
(assertOnlyFields [ (assertOnlyFields [
"PrivateKeyFile" "ListenPort" "FwMark" "PrivateKeyFile" "ListenPort" "FwMark"
]) ])
(assertRange "FwMark" 1 4294967295) # The following check won't work on nix <= 2.2
# see https://github.com/NixOS/nix/pull/2378
#
# Add this again when we'll have drop the
# nix < 2.2 support.
# (assertRange "FwMark" 1 4294967295)
]; ];
# NOTE The PresharedKey directive is missing on purpose here, please # NOTE The PresharedKey directive is missing on purpose here, please
@ -181,7 +186,12 @@ let
(assertOnlyFields [ (assertOnlyFields [
"InterfaceId" "Independent" "InterfaceId" "Independent"
]) ])
(assertRange "InterfaceId" 1 4294967295) # The following check won't work on nix <= 2.2
# see https://github.com/NixOS/nix/pull/2378
#
# Add this again when we'll have drop the
# nix < 2.2 support.
# (assertRange "InterfaceId" 1 4294967295)
(assertValueOneOf "Independent" boolValues) (assertValueOneOf "Independent" boolValues)
]; ];
@ -242,7 +252,12 @@ let
"IPProtocol" "InvertRule" "Family" "IPProtocol" "InvertRule" "Family"
]) ])
(assertRange "TypeOfService" 0 255) (assertRange "TypeOfService" 0 255)
(assertRange "FirewallMark" 1 4294967295) # The following check won't work on nix <= 2.2
# see https://github.com/NixOS/nix/pull/2378
#
# Add this again when we'll have drop the
# nix < 2.2 support.
# (assertRange "FirewallMark" 1 4294967295)
(assertInt "Priority") (assertInt "Priority")
(assertPort "SourcePort") (assertPort "SourcePort")
(assertPort "DestinationPort") (assertPort "DestinationPort")
@ -554,7 +569,7 @@ let
options = { options = {
routingPolicyRuleConfig = mkOption { routingPolicyRuleConfig = mkOption {
default = { }; default = { };
example = { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; } ;}; example = { routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; } ;};
type = types.addCheck (types.attrsOf unitOption) checkRoutingPolicyRule; type = types.addCheck (types.attrsOf unitOption) checkRoutingPolicyRule;
description = '' description = ''
Each attribute in this set specifies an option in the Each attribute in this set specifies an option in the

2
nixos/tests/all-tests.nix
View File

@ -283,7 +283,7 @@ in
systemd-confinement = handleTest ./systemd-confinement.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {};
systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; systemd-timesyncd = handleTest ./systemd-timesyncd.nix {};
systemd-networkd-vrf = handleTest ./systemd-networkd-vrf.nix {}; systemd-networkd-vrf = handleTest ./systemd-networkd-vrf.nix {};
systemd-networkd-wireguard = handleTest ./systemd-networkd-wireguard.nix {}; systemd-networkd = handleTest ./systemd-networkd.nix {};
systemd-nspawn = handleTest ./systemd-nspawn.nix {}; systemd-nspawn = handleTest ./systemd-nspawn.nix {};
pdns-recursor = handleTest ./pdns-recursor.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {};
taskserver = handleTest ./taskserver.nix {}; taskserver = handleTest ./taskserver.nix {};

35
nixos/tests/systemd-networkd-wireguard.nix → nixos/tests/systemd-networkd.nix
View File

@ -41,15 +41,25 @@ let generateNodeConf = { lib, pkgs, config, privk, pubk, peerId, nodeId, ...}: {
{ routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; } { routeConfig = { Gateway = "10.0.0.${nodeId}"; Destination = "10.0.0.0/24"; }; }
]; ];
}; };
"90-eth1" = { "30-eth1" = {
matchConfig = { Name = "eth1"; }; matchConfig = { Name = "eth1"; };
address = [ "192.168.1.${nodeId}/24" ]; address = [
"192.168.1.${nodeId}/24"
"fe80::${nodeId}/64"
];
routingPolicyRules = [
{ routingPolicyRuleConfig = { Table = 10; IncomingInterface = "eth1"; Family = "both"; };}
{ routingPolicyRuleConfig = { Table = 20; OutgoingInterface = "eth1"; };}
{ routingPolicyRuleConfig = { Table = 30; From = "192.168.1.1"; To = "192.168.1.2"; SourcePort = 666 ; DestinationPort = 667; };}
{ routingPolicyRuleConfig = { Table = 40; IPProtocol = "tcp"; InvertRule = true; };}
{ routingPolicyRuleConfig = { Table = 50; IncomingInterface = "eth1"; Family = "ipv4"; };}
];
}; };
}; };
}; };
}; };
in import ./make-test-python.nix ({pkgs, ... }: { in import ./make-test-python.nix ({pkgs, ... }: {
name = "networkd-wireguard"; name = "networkd";
meta = with pkgs.stdenv.lib.maintainers; { meta = with pkgs.stdenv.lib.maintainers; {
maintainers = [ ninjatrappeur ]; maintainers = [ ninjatrappeur ];
}; };
@ -76,9 +86,28 @@ testScript = ''
start_all() start_all()
node1.wait_for_unit("systemd-networkd-wait-online.service") node1.wait_for_unit("systemd-networkd-wait-online.service")
node2.wait_for_unit("systemd-networkd-wait-online.service") node2.wait_for_unit("systemd-networkd-wait-online.service")
# ================================
# Wireguard
# ================================
node1.succeed("ping -c 5 10.0.0.2") node1.succeed("ping -c 5 10.0.0.2")
node2.succeed("ping -c 5 10.0.0.1") node2.succeed("ping -c 5 10.0.0.1")
# Is the fwmark set? # Is the fwmark set?
node2.succeed("wg | grep -q 42") node2.succeed("wg | grep -q 42")
# ================================
# Routing Policies
# ================================
# Testing all the routingPolicyRuleConfig members:
# Table + IncomingInterface
node1.succeed("sudo ip rule | grep 'from all iif eth1 lookup 10'")
# OutgoingInterface
node1.succeed("sudo ip rule | grep 'from all oif eth1 lookup 20'")
# From + To + SourcePort + DestinationPort
node1.succeed(
"sudo ip rule | grep 'from 192.168.1.1 to 192.168.1.2 sport 666 dport 667 lookup 30'"
)
# IPProtocol + InvertRule
node1.succeed("sudo ip rule | grep 'not from all ipproto tcp lookup 40'")
''; '';
}) })