commit e973da60cdd84e1de9a0e510c6fbe39849d443e1 · pyrox.dev/nixpkgs

+16 -1

nixos/modules/virtualisation/qemu-vm.nix

···

       528
       528
        
               '';

     

       529
       529
        
           };

     

       530
       530
        
       

     

       531
       531
       +
           virtualisation.restrictNetwork =

     

       532
       532
       +
             mkOption {

     

       533
       533
       +
               type = types.bool;

     

       534
       534
       +
               default = false;

     

       535
       535
       +
               example = true;

     

       536
       536
       +
               description =

     

       537
       537
       +
                 lib.mdDoc ''

     

       538
       538
       +
                   If this option is enabled, the guest will be isolated, i.e. it will

     

       539
       539
       +
                   not be able to contact the host and no guest IP packets will be

     

       540
       540
       +
                   routed over the host to the outside. This option does not affect

     

       541
       541
       +
                   any explicitly set forwarding rules.

     

       542
       542
       +
                 '';

     

       543
       543
       +
             };

     

       544
       544
       +
       

     

       531
       545
        
           virtualisation.vlans =

     

       532
       546
        
             mkOption {

     

       533
       547
        
               type = types.listOf types.ints.unsigned;

     
···

       936
       950
        
                     else "'guestfwd=${proto}:${guest.address}:${toString guest.port}-" +

     

       937
       951
        
                          "cmd:${pkgs.netcat}/bin/nc ${host.address} ${toString host.port}',"

     

       938
       952
        
                 );

     

       953
       953
       +
               restrictNetworkOption = lib.optionalString cfg.restrictNetwork "restrict=on,";

     

       939
       954
        
             in

     

       940
       955
        
             [

     

       941
       956
        
               "-net nic,netdev=user.0,model=virtio"

     

       942
       942
       -
               "-netdev user,id=user.0,${forwardingOptions}\"$QEMU_NET_OPTS\""

     

       957
       957
       +
               "-netdev user,id=user.0,${forwardingOptions}${restrictNetworkOption}\"$QEMU_NET_OPTS\""

     

       943
       958
        
             ];

     

       944
       959
        
       

     

       945
       960
        
           # FIXME: Consolidate this one day.

nixos/tests/all-tests.nix

···

       558
       558
        
         public-inbox = handleTest ./public-inbox.nix {};

     

       559
       559
        
         pulseaudio = discoverTests (import ./pulseaudio.nix);

     

       560
       560
        
         qboot = handleTestOn ["x86_64-linux" "i686-linux"] ./qboot.nix {};

     

       561
       561
       +
         qemu-vm-restrictnetwork = handleTest ./qemu-vm-restrictnetwork.nix {};

     

       561
       562
        
         quorum = handleTest ./quorum.nix {};

     

       562
       563
        
         quake3 = handleTest ./quake3.nix {};

     

       563
       564
        
         rabbitmq = handleTest ./rabbitmq.nix {};

+36

nixos/tests/qemu-vm-restrictnetwork.nix

···

       1
       1
       +
       import ./make-test-python.nix ({

     

       2
       2
       +
         name = "qemu-vm-restrictnetwork";

     

       3
       3
       +
       

     

       4
       4
       +
         nodes = {

     

       5
       5
       +
           unrestricted = { config, pkgs, ... }: {

     

       6
       6
       +
             virtualisation.restrictNetwork = false;

     

       7
       7
       +
           };

     

       8
       8
       +
       

     

       9
       9
       +
           restricted = { config, pkgs, ... }: {

     

       10
       10
       +
             virtualisation.restrictNetwork = true;

     

       11
       11
       +
           };

     

       12
       12
       +
         };

     

       13
       13
       +
       

     

       14
       14
       +
         testScript = ''

     

       15
       15
       +
           import os

     

       16
       16
       +
       

     

       17
       17
       +
           if os.fork() == 0:

     

       18
       18
       +
             # Start some HTTP server on the qemu host to test guest isolation.

     

       19
       19
       +
             from http.server import HTTPServer, BaseHTTPRequestHandler

     

       20
       20
       +
             HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever()

     

       21
       21
       +
       

     

       22
       22
       +
           else:

     

       23
       23
       +
             start_all()

     

       24
       24
       +
             unrestricted.wait_for_unit("network-online.target")

     

       25
       25
       +
             restricted.wait_for_unit("network-online.target")

     

       26
       26
       +
       

     

       27
       27
       +
             # Guests should be able to reach each other on the same VLAN.

     

       28
       28
       +
             unrestricted.succeed("ping -c1 restricted")

     

       29
       29
       +
             restricted.succeed("ping -c1 unrestricted")

     

       30
       30
       +
       

     

       31
       31
       +
             # Only the unrestricted guest should be able to reach host services.

     

       32
       32
       +
             # 10.0.2.2 is the gateway mapping to the host's loopback interface.

     

       33
       33
       +
             unrestricted.succeed("curl -s http://10.0.2.2:8000")

     

       34
       34
       +
             restricted.fail("curl -s http://10.0.2.2:8000")

     

       35
       35
       +
           '';

     

       36
       36
       +
       })