nixos/tests/lxd/nftables.nix at 23.11-beta · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

nixpkgs / nixos / tests / lxd / nftables.nix

at 23.11-beta 1.3 kB view raw

 1# This test makes sure that lxd stops implicitly depending on iptables when
 2# user enabled nftables.
 3#
 4# It has been extracted from `lxd.nix` for clarity, and because switching from
 5# iptables to nftables requires a full reboot, which is a bit hard inside NixOS
 6# tests.
 7
 8import ../make-test-python.nix ({ pkgs, ...} : {
 9  name = "lxd-nftables";
10
11  meta = with pkgs.lib.maintainers; {
12    maintainers = [ patryk27 ];
13  };
14
15  nodes.machine = { lib, ... }: {
16    virtualisation = {
17      lxd.enable = true;
18    };
19
20    networking = {
21      firewall.enable = false;
22      nftables.enable = true;
23      nftables.tables."filter".family = "inet";
24      nftables.tables."filter".content = ''
25          chain incoming {
26            type filter hook input priority 0;
27            policy accept;
28          }
29
30          chain forward {
31            type filter hook forward priority 0;
32            policy accept;
33          }
34
35          chain output {
36            type filter hook output priority 0;
37            policy accept;
38          }
39      '';
40    };
41  };
42
43  testScript = ''
44    machine.wait_for_unit("network.target")
45
46    with subtest("When nftables are enabled, lxd doesn't depend on iptables anymore"):
47        machine.succeed("lsmod | grep nf_tables")
48        machine.fail("lsmod | grep ip_tables")
49  '';
50})