5e7b7b805a
The test failed in one run on Hydra, logs look like dhcpcd changed ipv6 routing at just the wrong time. Disable dhcpcd. It's not needed, the test uses static IPs anyway.
75 lines
2.2 KiB
Nix
75 lines
2.2 KiB
Nix
|
|
import ./make-test.nix ({ pkgs, ...} : {
|
|
name = "ferm";
|
|
meta = with pkgs.stdenv.lib.maintainers; {
|
|
maintainers = [ mic92 ];
|
|
};
|
|
|
|
nodes =
|
|
{ client =
|
|
{ pkgs, ... }:
|
|
with pkgs.lib;
|
|
{
|
|
networking = {
|
|
dhcpcd.enable = false;
|
|
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::2"; prefixLength = 64; } ];
|
|
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.2"; prefixLength = 24; } ];
|
|
};
|
|
};
|
|
server =
|
|
{ pkgs, ... }:
|
|
with pkgs.lib;
|
|
{
|
|
networking = {
|
|
dhcpcd.enable = false;
|
|
interfaces.eth1.ipv6.addresses = mkOverride 0 [ { address = "fd00::1"; prefixLength = 64; } ];
|
|
interfaces.eth1.ipv4.addresses = mkOverride 0 [ { address = "192.168.1.1"; prefixLength = 24; } ];
|
|
};
|
|
|
|
services = {
|
|
ferm.enable = true;
|
|
ferm.config = ''
|
|
domain (ip ip6) table filter chain INPUT {
|
|
interface lo ACCEPT;
|
|
proto tcp dport 8080 REJECT reject-with tcp-reset;
|
|
}
|
|
'';
|
|
nginx.enable = true;
|
|
nginx.httpConfig = ''
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
listen 8080;
|
|
listen [::]:8080;
|
|
|
|
location /status { stub_status on; }
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript =
|
|
''
|
|
startAll;
|
|
|
|
$client->waitForUnit("network-online.target");
|
|
$server->waitForUnit("ferm.service");
|
|
$server->waitForUnit("nginx.service");
|
|
$server->waitUntilSucceeds("ss -ntl | grep -q 80");
|
|
|
|
subtest "port 80 is allowed", sub {
|
|
$client->succeed("curl --fail -g http://192.168.1.1:80/status");
|
|
$client->succeed("curl --fail -g http://[fd00::1]:80/status");
|
|
};
|
|
|
|
subtest "port 8080 is not allowed", sub {
|
|
$server->succeed("curl --fail -g http://192.168.1.1:8080/status");
|
|
$server->succeed("curl --fail -g http://[fd00::1]:8080/status");
|
|
|
|
$client->fail("curl --fail -g http://192.168.1.1:8080/status");
|
|
$client->fail("curl --fail -g http://[fd00::1]:8080/status");
|
|
};
|
|
'';
|
|
})
|