Unverified Commit e973da60 authored by Robert Hensing's avatar Robert Hensing Committed by GitHub
Browse files

Merge pull request #200225 from pacien/nixos-qemu-vm-restrictnetwork 

nixos/qemu-vm: add option "restrictNetwork"
parents eea5d792 b25e0e8e

nixos/modules/virtualisation/qemu-vm.nix

+16 −1
Original line number Diff line number Diff line
@@ -528,6 +528,20 @@ in 
        '';

    };



    virtualisation.restrictNetwork =

      mkOption {

        type = types.bool;

        default = false;

        example = true;

        description =

          lib.mdDoc ''

            If this option is enabled, the guest will be isolated, i.e. it will

            not be able to contact the host and no guest IP packets will be

            routed over the host to the outside. This option does not affect

            any explicitly set forwarding rules.

          '';

      };



    virtualisation.vlans =

      mkOption {

        type = types.listOf types.ints.unsigned;
@@ -936,10 +950,11 @@ in 
              else "'guestfwd=${proto}:${guest.address}:${toString guest.port}-" +

                   "cmd:${pkgs.netcat}/bin/nc ${host.address} ${toString host.port}',"

          );

        restrictNetworkOption = lib.optionalString cfg.restrictNetwork "restrict=on,";

      in

      [

        "-net nic,netdev=user.0,model=virtio"

        "-netdev user,id=user.0,${forwardingOptions}\"$QEMU_NET_OPTS\""

        "-netdev user,id=user.0,${forwardingOptions}${restrictNetworkOption}\"$QEMU_NET_OPTS\""

      ];



    # FIXME: Consolidate this one day.

nixos/tests/all-tests.nix

+1 −0
Original line number Diff line number Diff line
@@ -558,6 +558,7 @@ in { 
  public-inbox = handleTest ./public-inbox.nix {};

  pulseaudio = discoverTests (import ./pulseaudio.nix);

  qboot = handleTestOn ["x86_64-linux" "i686-linux"] ./qboot.nix {};

  qemu-vm-restrictnetwork = handleTest ./qemu-vm-restrictnetwork.nix {};

  quorum = handleTest ./quorum.nix {};

  quake3 = handleTest ./quake3.nix {};

  rabbitmq = handleTest ./rabbitmq.nix {};

nixos/tests/qemu-vm-restrictnetwork.nix

0 → 100644
+36 −0
Original line number Diff line number Diff line 
import ./make-test-python.nix ({

  name = "qemu-vm-restrictnetwork";



  nodes = {

    unrestricted = { config, pkgs, ... }: {

      virtualisation.restrictNetwork = false;

    };



    restricted = { config, pkgs, ... }: {

      virtualisation.restrictNetwork = true;

    };

  };



  testScript = ''

    import os



    if os.fork() == 0:

      # Start some HTTP server on the qemu host to test guest isolation.

      from http.server import HTTPServer, BaseHTTPRequestHandler

      HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever()



    else:

      start_all()

      unrestricted.wait_for_unit("network-online.target")

      restricted.wait_for_unit("network-online.target")



      # Guests should be able to reach each other on the same VLAN.

      unrestricted.succeed("ping -c1 restricted")

      restricted.succeed("ping -c1 unrestricted")



      # Only the unrestricted guest should be able to reach host services.

      # 10.0.2.2 is the gateway mapping to the host's loopback interface.

      unrestricted.succeed("curl -s http://10.0.2.2:8000")

      restricted.fail("curl -s http://10.0.2.2:8000")

    '';

})