pyrox.dev / nixpkgs
lol
fork atom

nixos: Fix ordering of firewall.service

Follow-up to the following commits:

abdc5961c3cdf9f5893ea1e91ba08ff5089f53a4: Fix starting the firewall
e090701e2d09aec3e8866ab9a8e53c37973ffeb4: Order before sysinit

Solely use sysinit.target here instead of multi-user.target because we
want to make sure that the iptables rules are applied *before* any
socket units are started.

The reason I've dropped the wantedBy on multi-user.target is that
sysinit.target is already a part of the dependency chain of
multi-user.target.

To make sure that this holds true, I've added a small test case to
ensure that during switch of the configuration the firewall.service is
considered as well.

Tested using the firewall NixOS test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra

aszlig fb46df8a 10b33599

options
unified split
Changed files
+36 -20
nixos
modules
services
networking
firewall.nix
tests
firewall.nix
+2 -1
nixos/modules/services/networking/firewall.nix 
···

       
490

       
490

       
 

       



     

       
491

       
491

       
 

       
    systemd.services.firewall = {


     

       
492

       
492

       
 

       
      description = "Firewall";


     

       
493

       

       
-

       
      wantedBy = [ "multi-user.target" "sysinit.target" ];


     

       

       
493

       
+

       
      wantedBy = [ "sysinit.target" ];


     

       
494

       
494

       
 

       
      wants = [ "network-pre.target" ];


     

       
495

       
495

       
 

       
      before = [ "network-pre.target" ];


     

       
496

       
496

       
 

       
      after = [ "systemd-modules-load.service" ];


     
···

       
501

       
501

       
 

       
      # containers don't have CAP_SYS_MODULE. So the host system had


     

       
502

       
502

       
 

       
      # better have all necessary modules already loaded.


     

       
503

       
503

       
 

       
      unitConfig.ConditionCapability = "CAP_NET_ADMIN";


     

       

       
504

       
+

       
      unitConfig.DefaultDependencies = false;


     

       
504

       
505

       
 

       



     

       
505

       
506

       
 

       
      reloadIfChanged = true;


     

       
506

       
507
+34 -19
nixos/tests/firewall.nix 
···

       
15

       
15

       
 

       
          services.httpd.adminAddr = "foo@example.org";


     

       
16

       
16

       
 

       
        };


     

       
17

       
17

       
 

       



     

       

       
18

       
+

       
      # Dummy configuration to check whether firewall.service will be honored


     

       

       
19

       
+

       
      # during system activation. This only needs to be different to the


     

       

       
20

       
+

       
      # original walled configuration so that there is a change in the service


     

       

       
21

       
+

       
      # file.


     

       

       
22

       
+

       
      walled2 =


     

       

       
23

       
+

       
        { config, pkgs, nodes, ... }:


     

       

       
24

       
+

       
        { networking.firewall.enable = true;


     

       

       
25

       
+

       
          networking.firewall.rejectPackets = true;


     

       

       
26

       
+

       
        };


     

       

       
27

       
+

       



     

       
18

       
28

       
 

       
      attacker =


     

       
19

       
29

       
 

       
        { config, pkgs, ... }:


     

       
20

       
30

       
 

       
        { services.httpd.enable = true;


     
···

       
23

       
33

       
 

       
        };


     

       
24

       
34

       
 

       
    };


     

       
25

       
35

       
 

       



     

       
26

       

       
-

       
  testScript =


     

       
27

       

       
-

       
    { nodes, ... }:


     

       
28

       

       
-

       
    ''


     

       
29

       

       
-

       
      startAll;


     

       

       
36

       
+

       
  testScript = { nodes, ... }: let


     

       

       
37

       
+

       
    newSystem = nodes.walled2.config.system.build.toplevel;


     

       

       
38

       
+

       
  in ''


     

       

       
39

       
+

       
    $walled->start;


     

       

       
40

       
+

       
    $attacker->start;


     

       

       
41

       
+

       



     

       

       
42

       
+

       
    $walled->waitForUnit("firewall");


     

       

       
43

       
+

       
    $walled->waitForUnit("httpd");


     

       

       
44

       
+

       
    $attacker->waitForUnit("network.target");


     

       
30

       
45

       
 

       



     

       
31

       

       
-

       
      $walled->waitForUnit("firewall");


     

       
32

       

       
-

       
      $walled->waitForUnit("httpd");


     

       
33

       

       
-

       
      $attacker->waitForUnit("network.target");


     

       

       
46

       
+

       
    # Local connections should still work.


     

       

       
47

       
+

       
    $walled->succeed("curl -v http://localhost/ >&2");


     

       
34

       
48

       
 

       



     

       
35

       

       
-

       
      # Local connections should still work.


     

       
36

       

       
-

       
      $walled->succeed("curl -v http://localhost/ >&2");


     

       

       
49

       
+

       
    # Connections to the firewalled machine should fail, but ping should succeed.


     

       

       
50

       
+

       
    $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");


     

       

       
51

       
+

       
    $attacker->succeed("ping -c 1 walled >&2");


     

       
37

       
52

       
 

       



     

       
38

       

       
-

       
      # Connections to the firewalled machine should fail, but ping should succeed.


     

       
39

       

       
-

       
      $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");


     

       
40

       

       
-

       
      $attacker->succeed("ping -c 1 walled >&2");


     

       

       
53

       
+

       
    # Outgoing connections/pings should still work.


     

       

       
54

       
+

       
    $walled->succeed("curl -v http://attacker/ >&2");


     

       

       
55

       
+

       
    $walled->succeed("ping -c 1 attacker >&2");


     

       
41

       
56

       
 

       



     

       
42

       

       
-

       
      # Outgoing connections/pings should still work.


     

       
43

       

       
-

       
      $walled->succeed("curl -v http://attacker/ >&2");


     

       
44

       

       
-

       
      $walled->succeed("ping -c 1 attacker >&2");


     

       

       
57

       
+

       
    # If we stop the firewall, then connections should succeed.


     

       

       
58

       
+

       
    $walled->stopJob("firewall");


     

       

       
59

       
+

       
    $attacker->succeed("curl -v http://walled/ >&2");


     

       
45

       
60

       
 

       



     

       
46

       

       
-

       
      # If we stop the firewall, then connections should succeed.


     

       
47

       

       
-

       
      $walled->stopJob("firewall");


     

       
48

       

       
-

       
      $attacker->succeed("curl -v http://walled/ >&2");


     

       
49

       

       
-

       
    '';


     

       

       
61

       
+

       
    # Check whether activation of a new configuration reloads the firewall.


     

       

       
62

       
+

       
    $walled->succeed("${newSystem}/bin/switch-to-configuration test 2>&1" .


     

       

       
63

       
+

       
                     " | grep -qF firewall.service");


     

       

       
64

       
+

       
  '';


     

       
50

       
65

       
 

       
})