2020-06-18 07:06:33 +00:00
|
|
|
# This test makes sure that lxd stops implicitly depending on iptables when
|
|
|
|
# user enabled nftables.
|
|
|
|
#
|
|
|
|
# It has been extracted from `lxd.nix` for clarity, and because switching from
|
|
|
|
# iptables to nftables requires a full reboot, which is a bit hard inside NixOS
|
|
|
|
# tests.
|
|
|
|
|
2024-01-02 11:29:13 +00:00
|
|
|
import ../make-test-python.nix ({ pkgs, lib, ...} : {
|
2020-06-18 07:06:33 +00:00
|
|
|
name = "lxd-nftables";
|
2020-09-25 04:45:31 +00:00
|
|
|
|
2022-04-03 18:54:34 +00:00
|
|
|
nodes.machine = { lib, ... }: {
|
2020-06-18 07:06:33 +00:00
|
|
|
virtualisation = {
|
|
|
|
lxd.enable = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
firewall.enable = false;
|
|
|
|
nftables.enable = true;
|
2023-10-09 19:29:22 +00:00
|
|
|
nftables.tables."filter".family = "inet";
|
|
|
|
nftables.tables."filter".content = ''
|
2020-06-18 07:06:33 +00:00
|
|
|
chain incoming {
|
|
|
|
type filter hook input priority 0;
|
|
|
|
policy accept;
|
|
|
|
}
|
|
|
|
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority 0;
|
|
|
|
policy accept;
|
|
|
|
}
|
|
|
|
|
|
|
|
chain output {
|
|
|
|
type filter hook output priority 0;
|
|
|
|
policy accept;
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
machine.wait_for_unit("network.target")
|
|
|
|
|
|
|
|
with subtest("When nftables are enabled, lxd doesn't depend on iptables anymore"):
|
|
|
|
machine.succeed("lsmod | grep nf_tables")
|
|
|
|
machine.fail("lsmod | grep ip_tables")
|
|
|
|
'';
|
|
|
|
})
|