commit fb46df8a9a4102e265f4b14af48a5df90d5b06c3 · pyrox.dev/nixpkgs

+2 -1

nixos/modules/services/networking/firewall.nix

···

       490
        
       

     

       491
        
           systemd.services.firewall = {

     

       492
        
             description = "Firewall";

     

       493
       -
             wantedBy = [ "multi-user.target" "sysinit.target" ];

     

       494
        
             wants = [ "network-pre.target" ];

     

       495
        
             before = [ "network-pre.target" ];

     

       496
        
             after = [ "systemd-modules-load.service" ];

     
···

       501
        
             # containers don't have CAP_SYS_MODULE. So the host system had

     

       502
        
             # better have all necessary modules already loaded.

     

       503
        
             unitConfig.ConditionCapability = "CAP_NET_ADMIN";

     

       0
        
       
     

       504
        
       

     

       505
        
             reloadIfChanged = true;

     

       506

···

       490
        
       

     

       491
        
           systemd.services.firewall = {

     

       492
        
             description = "Firewall";

     

       493
       +
             wantedBy = [ "sysinit.target" ];

     

       494
        
             wants = [ "network-pre.target" ];

     

       495
        
             before = [ "network-pre.target" ];

     

       496
        
             after = [ "systemd-modules-load.service" ];

     
···

       501
        
             # containers don't have CAP_SYS_MODULE. So the host system had

     

       502
        
             # better have all necessary modules already loaded.

     

       503
        
             unitConfig.ConditionCapability = "CAP_NET_ADMIN";

     

       504
       +
             unitConfig.DefaultDependencies = false;

     

       505
        
       

     

       506
        
             reloadIfChanged = true;

     

       507

+34 -19

nixos/tests/firewall.nix

···

       15
        
                 services.httpd.adminAddr = "foo@example.org";

     

       16
        
               };

     

       17
        
       

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       18
        
             attacker =

     

       19
        
               { config, pkgs, ... }:

     

       20
        
               { services.httpd.enable = true;

     
···

       23
        
               };

     

       24
        
           };

     

       25
        
       

     

       26
       -
         testScript =

     

       27
       -
           { nodes, ... }:

     

       28
       -
           ''

     

       29
       -
             startAll;

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       30
        
       

     

       31
       -
             $walled->waitForUnit("firewall");

     

       32
       -
             $walled->waitForUnit("httpd");

     

       33
       -
             $attacker->waitForUnit("network.target");

     

       34
        
       

     

       35
       -
             # Local connections should still work.

     

       36
       -
             $walled->succeed("curl -v http://localhost/ >&2");

     

       0
        
       
     

       37
        
       

     

       38
       -
             # Connections to the firewalled machine should fail, but ping should succeed.

     

       39
       -
             $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");

     

       40
       -
             $attacker->succeed("ping -c 1 walled >&2");

     

       41
        
       

     

       42
       -
             # Outgoing connections/pings should still work.

     

       43
       -
             $walled->succeed("curl -v http://attacker/ >&2");

     

       44
       -
             $walled->succeed("ping -c 1 attacker >&2");

     

       45
        
       

     

       46
       -
             # If we stop the firewall, then connections should succeed.

     

       47
       -
             $walled->stopJob("firewall");

     

       48
       -
             $attacker->succeed("curl -v http://walled/ >&2");

     

       49
       -
           '';

     

       50
        
       })

···

       15
        
                 services.httpd.adminAddr = "foo@example.org";

     

       16
        
               };

     

       17
        
       

     

       18
       +
             # Dummy configuration to check whether firewall.service will be honored

     

       19
       +
             # during system activation. This only needs to be different to the

     

       20
       +
             # original walled configuration so that there is a change in the service

     

       21
       +
             # file.

     

       22
       +
             walled2 =

     

       23
       +
               { config, pkgs, nodes, ... }:

     

       24
       +
               { networking.firewall.enable = true;

     

       25
       +
                 networking.firewall.rejectPackets = true;

     

       26
       +
               };

     

       27
       +
       

     

       28
        
             attacker =

     

       29
        
               { config, pkgs, ... }:

     

       30
        
               { services.httpd.enable = true;

     
···

       33
        
               };

     

       34
        
           };

     

       35
        
       

     

       36
       +
         testScript = { nodes, ... }: let

     

       37
       +
           newSystem = nodes.walled2.config.system.build.toplevel;

     

       38
       +
         in ''

     

       39
       +
           $walled->start;

     

       40
       +
           $attacker->start;

     

       41
       +
       

     

       42
       +
           $walled->waitForUnit("firewall");

     

       43
       +
           $walled->waitForUnit("httpd");

     

       44
       +
           $attacker->waitForUnit("network.target");

     

       45
        
       

     

       46
       +
           # Local connections should still work.

     

       47
       +
           $walled->succeed("curl -v http://localhost/ >&2");

     

       0
        
       
     

       48
        
       

     

       49
       +
           # Connections to the firewalled machine should fail, but ping should succeed.

     

       50
       +
           $attacker->fail("curl --fail --connect-timeout 2 http://walled/ >&2");

     

       51
       +
           $attacker->succeed("ping -c 1 walled >&2");

     

       52
        
       

     

       53
       +
           # Outgoing connections/pings should still work.

     

       54
       +
           $walled->succeed("curl -v http://attacker/ >&2");

     

       55
       +
           $walled->succeed("ping -c 1 attacker >&2");

     

       56
        
       

     

       57
       +
           # If we stop the firewall, then connections should succeed.

     

       58
       +
           $walled->stopJob("firewall");

     

       59
       +
           $attacker->succeed("curl -v http://walled/ >&2");

     

       60
        
       

     

       61
       +
           # Check whether activation of a new configuration reloads the firewall.

     

       62
       +
           $walled->succeed("${newSystem}/bin/switch-to-configuration test 2>&1" .

     

       63
       +
                            " | grep -qF firewall.service");

     

       64
       +
         '';

     

       65
        
       })