Loading nixos/tests/all-tests.nix +6 −2 Original line number Diff line number Diff line Loading @@ -569,11 +569,15 @@ in firejail = runTest ./firejail.nix; firewall = runTest { imports = [ ./firewall.nix ]; _module.args.nftables = false; _module.args.backend = "iptables"; }; firewall-firewalld = runTest { imports = [ ./firewall.nix ]; _module.args.backend = "firewalld"; }; firewall-nftables = runTest { imports = [ ./firewall.nix ]; _module.args.nftables = true; _module.args.backend = "nftables"; }; firezone = runTest ./firezone/firezone.nix; fish = runTest ./fish.nix; Loading nixos/tests/firewall.nix +14 −6 Original line number Diff line number Diff line # Test the firewall module. { lib, nftables, ... }: { lib, backend, ... }: { name = "firewall" + lib.optionalString nftables "-nftables"; name = "firewall-${backend}"; meta = with lib.maintainers; { maintainers = [ prince213 rvfg garyguo ]; Loading Loading @@ -59,7 +60,8 @@ }; }; }; networking.nftables.enable = nftables; services.firewalld.enable = backend == "firewalld"; networking.nftables.enable = backend != "iptables"; services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; Loading @@ -80,7 +82,13 @@ testScript = { nodes, ... }: let unit = if nftables then "nftables" else "firewall"; unit = if backend == "iptables" then "firewall" else backend; openPort = if backend == "firewalld" then "firewall-cmd --add-port=80/tcp" else "nixos-firewall-tool open tcp 80"; reset = if backend == "firewalld" then "firewall-cmd --reload" else "nixos-firewall-tool reset"; in '' start_all() Loading @@ -101,11 +109,11 @@ walled.succeed("ping -c 1 attacker >&2") # Open tcp port 80 at runtime walled.succeed("nixos-firewall-tool open tcp 80") walled.succeed("${openPort}") attacker.succeed("curl -v http://walled/ >&2") # Reset the firewall walled.succeed("nixos-firewall-tool reset") walled.succeed("${reset}") attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2") # If we stop the firewall, then connections should succeed. Loading pkgs/by-name/fi/firewalld/package.nix +5 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,7 @@ sysctl, wrapGAppsNoGuiHook, withGui ? false, nixosTests, }: let Loading Loading @@ -153,6 +154,10 @@ stdenv.mkDerivation rec { wrapPythonProgramsIn "$out/bin" "$out ${pythonPath}" ''; passthru.tests = { firewall-firewalld = nixosTests.firewall-firewalld; }; meta = { description = "Firewall daemon with D-Bus interface"; homepage = "https://firewalld.org"; Loading Loading
nixos/tests/all-tests.nix +6 −2 Original line number Diff line number Diff line Loading @@ -569,11 +569,15 @@ in firejail = runTest ./firejail.nix; firewall = runTest { imports = [ ./firewall.nix ]; _module.args.nftables = false; _module.args.backend = "iptables"; }; firewall-firewalld = runTest { imports = [ ./firewall.nix ]; _module.args.backend = "firewalld"; }; firewall-nftables = runTest { imports = [ ./firewall.nix ]; _module.args.nftables = true; _module.args.backend = "nftables"; }; firezone = runTest ./firezone/firezone.nix; fish = runTest ./fish.nix; Loading
nixos/tests/firewall.nix +14 −6 Original line number Diff line number Diff line # Test the firewall module. { lib, nftables, ... }: { lib, backend, ... }: { name = "firewall" + lib.optionalString nftables "-nftables"; name = "firewall-${backend}"; meta = with lib.maintainers; { maintainers = [ prince213 rvfg garyguo ]; Loading Loading @@ -59,7 +60,8 @@ }; }; }; networking.nftables.enable = nftables; services.firewalld.enable = backend == "firewalld"; networking.nftables.enable = backend != "iptables"; services.httpd.enable = true; services.httpd.adminAddr = "foo@example.org"; Loading @@ -80,7 +82,13 @@ testScript = { nodes, ... }: let unit = if nftables then "nftables" else "firewall"; unit = if backend == "iptables" then "firewall" else backend; openPort = if backend == "firewalld" then "firewall-cmd --add-port=80/tcp" else "nixos-firewall-tool open tcp 80"; reset = if backend == "firewalld" then "firewall-cmd --reload" else "nixos-firewall-tool reset"; in '' start_all() Loading @@ -101,11 +109,11 @@ walled.succeed("ping -c 1 attacker >&2") # Open tcp port 80 at runtime walled.succeed("nixos-firewall-tool open tcp 80") walled.succeed("${openPort}") attacker.succeed("curl -v http://walled/ >&2") # Reset the firewall walled.succeed("nixos-firewall-tool reset") walled.succeed("${reset}") attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2") # If we stop the firewall, then connections should succeed. Loading
pkgs/by-name/fi/firewalld/package.nix +5 −0 Original line number Diff line number Diff line Loading @@ -26,6 +26,7 @@ sysctl, wrapGAppsNoGuiHook, withGui ? false, nixosTests, }: let Loading Loading @@ -153,6 +154,10 @@ stdenv.mkDerivation rec { wrapPythonProgramsIn "$out/bin" "$out ${pythonPath}" ''; passthru.tests = { firewall-firewalld = nixosTests.firewall-firewalld; }; meta = { description = "Firewall daemon with D-Bus interface"; homepage = "https://firewalld.org"; Loading
