2023-01-20 10:41:00 +00:00
|
|
|
import ./make-test-python.nix ({
|
|
|
|
name = "qemu-vm-restrictnetwork";
|
|
|
|
|
|
|
|
nodes = {
|
|
|
|
unrestricted = { config, pkgs, ... }: {
|
|
|
|
virtualisation.restrictNetwork = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
restricted = { config, pkgs, ... }: {
|
|
|
|
virtualisation.restrictNetwork = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
testScript = ''
|
|
|
|
import os
|
|
|
|
|
|
|
|
if os.fork() == 0:
|
|
|
|
# Start some HTTP server on the qemu host to test guest isolation.
|
|
|
|
from http.server import HTTPServer, BaseHTTPRequestHandler
|
|
|
|
HTTPServer(("", 8000), BaseHTTPRequestHandler).serve_forever()
|
|
|
|
|
|
|
|
else:
|
|
|
|
start_all()
|
2024-01-25 14:12:00 +00:00
|
|
|
unrestricted.systemctl("start network-online.target")
|
|
|
|
restricted.systemctl("start network-online.target")
|
2023-01-20 10:41:00 +00:00
|
|
|
unrestricted.wait_for_unit("network-online.target")
|
|
|
|
restricted.wait_for_unit("network-online.target")
|
|
|
|
|
|
|
|
# Guests should be able to reach each other on the same VLAN.
|
|
|
|
unrestricted.succeed("ping -c1 restricted")
|
|
|
|
restricted.succeed("ping -c1 unrestricted")
|
|
|
|
|
|
|
|
# Only the unrestricted guest should be able to reach host services.
|
|
|
|
# 10.0.2.2 is the gateway mapping to the host's loopback interface.
|
|
|
|
unrestricted.succeed("curl -s http://10.0.2.2:8000")
|
|
|
|
restricted.fail("curl -s http://10.0.2.2:8000")
|
|
|
|
'';
|
|
|
|
})
|