{ pkgs, runTest }:
let
inherit (pkgs) lib;
ipv6Only = {
networking.useDHCP = false;
networking.interfaces.eth1.ipv4.addresses = lib.mkVMOverride [ ];
};
ipv4Only = {
networking.useDHCP = false;
networking.interfaces.eth1.ipv6.addresses = lib.mkVMOverride [ ];
};
webserver = ip: msg: {
systemd.services.webserver = {
description = "Mock webserver";
wants = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
script = ''
while true; do
{
printf 'HTTP/1.0 200 OK\n'
printf 'Content-Length: ${toString (1 + builtins.stringLength msg)}\n'
printf '\n${msg}\n\n'
} | ${pkgs.libressl.nc}/bin/nc -${toString ip}nvl 80
done
'';
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
in
{
siit = runTest {
# This test simulates the setup described in [1] with two IPv6 and
# IPv4-only devices on different subnets communicating through a border
# relay running Jool in SIIT mode.
# [1]: https://nicmx.github.io/Jool/en/run-vanilla.html
name = "jool-siit";
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
# Border relay
nodes.relay = {
virtualisation.vlans = [ 1 2 ];
# Enable packet routing
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv4.conf.all.forwarding" = 1;
};
networking.useDHCP = false;
networking.interfaces = lib.mkVMOverride {
eth1.ipv6.addresses = [ { address = "fd::198.51.100.1"; prefixLength = 120; } ];
eth2.ipv4.addresses = [ { address = "192.0.2.1"; prefixLength = 24; } ];
};
networking.jool.enable = true;
networking.jool.siit.default.global.pool6 = "fd::/96";
};
# IPv6 only node
nodes.alice = {
imports = [ ipv6Only (webserver 6 "Hello, Bob!") ];
virtualisation.vlans = [ 1 ];
networking.interfaces.eth1.ipv6 = {
addresses = [ { address = "fd::198.51.100.8"; prefixLength = 120; } ];
routes = [ { address = "fd::192.0.2.0"; prefixLength = 120;
via = "fd::198.51.100.1"; } ];
};
};
# IPv4 only node
nodes.bob = {
imports = [ ipv4Only (webserver 4 "Hello, Alice!") ];
virtualisation.vlans = [ 2 ];
networking.interfaces.eth1.ipv4 = {
addresses = [ { address = "192.0.2.16"; prefixLength = 24; } ];
routes = [ { address = "198.51.100.0"; prefixLength = 24;
via = "192.0.2.1"; } ];
};
};
testScript = ''
start_all()
relay.wait_for_unit("jool-siit-default.service")
alice.wait_for_unit("network-addresses-eth1.service")
bob.wait_for_unit("network-addresses-eth1.service")
with subtest("Alice and Bob can't ping each other"):
relay.systemctl("stop jool-siit-default.service")
alice.fail("ping -c1 fd::192.0.2.16")
bob.fail("ping -c1 198.51.100.8")
with subtest("Alice and Bob can ping using the relay"):
relay.systemctl("start jool-siit-default.service")
alice.wait_until_succeeds("ping -c1 fd::192.0.2.16")
bob.wait_until_succeeds("ping -c1 198.51.100.8")
with subtest("Alice can connect to Bob's webserver"):
bob.wait_for_open_port(80)
alice.succeed("curl -vvv http://[fd::192.0.2.16] >&2")
alice.succeed("curl --fail -s http://[fd::192.0.2.16] | grep -q Alice")
with subtest("Bob can connect to Alices's webserver"):
alice.wait_for_open_port(80)
bob.succeed("curl --fail -s http://198.51.100.8 | grep -q Bob")
'';
};
nat64 = runTest {
# This test simulates the setup described in [1] with two IPv6-only nodes
# (a client and a homeserver) on the LAN subnet and an IPv4 node on the WAN.
# The router runs Jool in stateful NAT64 mode, masquarading the LAN and
# forwarding ports using static BIB entries.
# [1]: https://nicmx.github.io/Jool/en/run-nat64.html
name = "jool-nat64";
meta.maintainers = with lib.maintainers; [ rnhmjoj ];
# Router
nodes.router = {
virtualisation.vlans = [ 1 2 ];
# Enable packet routing
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1;
"net.ipv4.conf.all.forwarding" = 1;
};
networking.useDHCP = false;
networking.interfaces = lib.mkVMOverride {
eth1.ipv6.addresses = [ { address = "2001:db8::1"; prefixLength = 96; } ];
eth2.ipv4.addresses = [ { address = "203.0.113.1"; prefixLength = 24; } ];
};
networking.jool.enable = true;
networking.jool.nat64.default = {
bib = [
{ # forward HTTP 203.0.113.1 (router) → 2001:db8::9 (homeserver)
"protocol" = "TCP";
"ipv4 address" = "203.0.113.1#80";
"ipv6 address" = "2001:db8::9#80";
}
];
pool4 = [
# Ports for dynamic translation
{ protocol = "TCP"; prefix = "203.0.113.1/32"; "port range" = "40001-65535"; }
{ protocol = "UDP"; prefix = "203.0.113.1/32"; "port range" = "40001-65535"; }
{ protocol = "ICMP"; prefix = "203.0.113.1/32"; "port range" = "40001-65535"; }
# Ports for static BIB entries
{ protocol = "TCP"; prefix = "203.0.113.1/32"; "port range" = "80"; }
];
};
};
# LAN client (IPv6 only)
nodes.client = {
imports = [ ipv6Only ];
virtualisation.vlans = [ 1 ];
networking.interfaces.eth1.ipv6 = {
addresses = [ { address = "2001:db8::8"; prefixLength = 96; } ];
routes = [ { address = "64:ff9b::"; prefixLength = 96;
via = "2001:db8::1"; } ];
};
};
# LAN server (IPv6 only)
nodes.homeserver = {
imports = [ ipv6Only (webserver 6 "Hello from IPv6!") ];
virtualisation.vlans = [ 1 ];
networking.interfaces.eth1.ipv6 = {
addresses = [ { address = "2001:db8::9"; prefixLength = 96; } ];
routes = [ { address = "64:ff9b::"; prefixLength = 96;
via = "2001:db8::1"; } ];
};
};
# WAN server (IPv4 only)
nodes.server = {
imports = [ ipv4Only (webserver 4 "Hello from IPv4!") ];
virtualisation.vlans = [ 2 ];
networking.interfaces.eth1.ipv4.addresses =
[ { address = "203.0.113.16"; prefixLength = 24; } ];
};
testScript = ''
start_all()
for node in [client, homeserver, server]:
node.wait_for_unit("network-addresses-eth1.service")
with subtest("Client can ping the WAN server"):
router.wait_for_unit("jool-nat64-default.service")
client.succeed("ping -c1 64:ff9b::203.0.113.16")
with subtest("Client can connect to the WAN webserver"):
server.wait_for_open_port(80)
client.succeed("curl --fail -s http://[64:ff9b::203.0.113.16] | grep -q IPv4!")
with subtest("Router BIB entries are correctly populated"):
router.succeed("jool bib display | grep -q 'Dynamic TCP.*2001:db8::8'")
router.succeed("jool bib display | grep -q 'Static TCP.*2001:db8::9'")
with subtest("WAN server can reach the LAN server"):
homeserver.wait_for_open_port(80)
server.succeed("curl --fail -s http://203.0.113.1 | grep -q IPv6!")
'';
};
}