nixos/tests/lxd-nftables.nix at 23.05-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / tests / lxd-nftables.nix

at 23.05-pre 1.3 kB view raw

 1# This test makes sure that lxd stops implicitly depending on iptables when
 2# user enabled nftables.
 3#
 4# It has been extracted from `lxd.nix` for clarity, and because switching from
 5# iptables to nftables requires a full reboot, which is a bit hard inside NixOS
 6# tests.
 7
 8import ./make-test-python.nix ({ pkgs, ...} : {
 9  name = "lxd-nftables";
10
11  meta = with pkgs.lib.maintainers; {
12    maintainers = [ patryk27 ];
13  };
14
15  nodes.machine = { lib, ... }: {
16    virtualisation = {
17      lxd.enable = true;
18    };
19
20    networking = {
21      firewall.enable = false;
22      nftables.enable = true;
23      nftables.ruleset = ''
24        table inet filter {
25          chain incoming {
26            type filter hook input priority 0;
27            policy accept;
28          }
29
30          chain forward {
31            type filter hook forward priority 0;
32            policy accept;
33          }
34
35          chain output {
36            type filter hook output priority 0;
37            policy accept;
38          }
39        }
40      '';
41    };
42  };
43
44  testScript = ''
45    machine.wait_for_unit("network.target")
46
47    with subtest("When nftables are enabled, lxd doesn't depend on iptables anymore"):
48        machine.succeed("lsmod | grep nf_tables")
49        machine.fail("lsmod | grep ip_tables")
50  '';
51})