nixos/tests/firewall: add firewalld backend

2026-06-05 21:03:40 +00:00 · 2025-04-15 14:02:38 +08:00
parent 3160f3b9d7
commit 2051b59942
3 changed files with 25 additions and 8 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -569,11 +569,15 @@ in
  firejail = runTest ./firejail.nix;
  firewall = runTest {
    imports = [ ./firewall.nix ];
-    _module.args.nftables = false;
+    _module.args.backend = "iptables";
+  };
+  firewall-firewalld = runTest {
+    imports = [ ./firewall.nix ];
+    _module.args.backend = "firewalld";
  };
  firewall-nftables = runTest {
    imports = [ ./firewall.nix ];
-    _module.args.nftables = true;
+    _module.args.backend = "nftables";
  };
  firezone = runTest ./firezone/firezone.nix;
  fish = runTest ./fish.nix;
--- a/nixos/tests/firewall.nix
+++ b/nixos/tests/firewall.nix
@@ -1,10 +1,11 @@
 # Test the firewall module.

-{ lib, nftables, ... }:
+{ lib, backend, ... }:
 {
-  name = "firewall" + lib.optionalString nftables "-nftables";
+  name = "firewall-${backend}";
  meta = with lib.maintainers; {
    maintainers = [
+      prince213
      rvfg
      garyguo
    ];
@@ -59,7 +60,8 @@
            };
          };
        };
-        networking.nftables.enable = nftables;
+        services.firewalld.enable = backend == "firewalld";
+        networking.nftables.enable = backend != "iptables";
        services.httpd.enable = true;
        services.httpd.adminAddr = "foo@example.org";

@@ -80,7 +82,13 @@
  testScript =
    { nodes, ... }:
    let
-      unit = if nftables then "nftables" else "firewall";
+      unit = if backend == "iptables" then "firewall" else backend;
+      openPort =
+        if backend == "firewalld" then
+          "firewall-cmd --add-port=80/tcp"
+        else
+          "nixos-firewall-tool open tcp 80";
+      reset = if backend == "firewalld" then "firewall-cmd --reload" else "nixos-firewall-tool reset";
    in
    ''
      start_all()
@@ -101,11 +109,11 @@
      walled.succeed("ping -c 1 attacker >&2")

      # Open tcp port 80 at runtime
-      walled.succeed("nixos-firewall-tool open tcp 80")
+      walled.succeed("${openPort}")
      attacker.succeed("curl -v http://walled/ >&2")

      # Reset the firewall
-      walled.succeed("nixos-firewall-tool reset")
+      walled.succeed("${reset}")
      attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2")

      # If we stop the firewall, then connections should succeed.
--- a/pkgs/by-name/fi/firewalld/package.nix
+++ b/pkgs/by-name/fi/firewalld/package.nix
@@ -26,6 +26,7 @@
  sysctl,
  wrapGAppsNoGuiHook,
  withGui ? false,
+  nixosTests,
 }:

 let
@@ -153,6 +154,10 @@ stdenv.mkDerivation rec {
    wrapPythonProgramsIn "$out/bin" "$out ${pythonPath}"
  '';

+  passthru.tests = {
+    firewall-firewalld = nixosTests.firewall-firewalld;
+  };
+
  meta = {
    description = "Firewall daemon with D-Bus interface";
    homepage = "https://firewalld.org";