nixos/tests/firewalld: init

2026-06-05 21:03:40 +00:00 · 2025-04-15 16:40:15 +08:00
parent 2051b59942
commit 9ca60dbb79
3 changed files with 54 additions and 0 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -579,6 +579,7 @@ in
    imports = [ ./firewall.nix ];
    _module.args.backend = "nftables";
  };
+  firewalld = runTest ./firewalld.nix;
  firezone = runTest ./firezone/firezone.nix;
  fish = runTest ./fish.nix;
  flannel = runTestOn [ "x86_64-linux" ] ./flannel.nix;
--- a/nixos/tests/firewalld.nix
+++ b/nixos/tests/firewalld.nix
@@ -0,0 +1,52 @@
+{ lib, pkgs, ... }:
+{
+  name = "firewalld";
+  meta.maintainers = with pkgs.lib.maintainers; [
+    prince213
+  ];
+
+  nodes = {
+    walled = {
+      networking.nftables.enable = true;
+      services.firewalld.enable = true;
+      services.httpd.enable = true;
+      services.httpd.adminAddr = "foo@example.org";
+    };
+
+    open = {
+      networking.nftables.enable = true;
+      services.firewalld = {
+        enable = true;
+        settings.DefaultZone = "trusted";
+      };
+      services.httpd.enable = true;
+      services.httpd.adminAddr = "foo@example.org";
+    };
+  };
+
+  testScript = ''
+    start_all()
+
+    walled.wait_for_unit("firewalld")
+    walled.wait_for_unit("httpd")
+
+    open.wait_for_unit("network.target")
+
+    with subtest("walled local httpd works"):
+      walled.succeed("curl -v http://localhost/ >&2")
+
+    with subtest("incoming connections are blocked"):
+      open.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
+
+    with subtest("outgoing connections are allowed"):
+      walled.succeed("curl -v http://open/ >&2")
+
+    with subtest("runtime configuration can be changed"):
+      walled.succeed("firewall-cmd --add-service=http")
+      open.succeed("curl -v http://walled/ >&2")
+
+    with subtest("runtime configuration are not permanent"):
+      walled.succeed("firewall-cmd --complete-reload")
+      open.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
+  '';
+}
--- a/pkgs/by-name/fi/firewalld/package.nix
+++ b/pkgs/by-name/fi/firewalld/package.nix
@@ -155,6 +155,7 @@ stdenv.mkDerivation rec {
  '';

  passthru.tests = {
+    firewalld = nixosTests.firewalld;
    firewall-firewalld = nixosTests.firewall-firewalld;
  };