Commit Graph

10 Commits

Author SHA1 Message Date
Maximilian Bosch
9f7b0d8f0c
nixos/systemd-networkd-vrf: check routing tables via ip --json
The original implementation did a simple string-comparison against the
output of `ip route`. This is problematic because

* if the details in the string-output change, the test breaks. This is
  less likely with JSON because the relevant values (i.e. destination,
  interface etc) aren't supposed to be changed.
* this is causing issues with formatters[1][2].

[1] #161703
[2] #154818
2022-06-24 09:58:40 +02:00
Kevin Amado
2a9691e0c0
nixos/systemd: prepare tests for formatters
- Code formatters normally strip trailing whitespace.
  Since this test depends on the whitespace to succeed,
  formatting the code would break the test
- This small change make this file to be formatted
  while at the same time preserving the test meaning
2022-04-21 11:22:06 -06:00
zowoq
9917a5cf11 nixos/tests/systemd-networkd-vrf: move disabled check inline 2022-01-13 09:21:38 +10:00
Maximilian Bosch
b199005979
nixos/tests/systemd-networkd-vrf: fix eval
The `Metric`-values of routes defined via `networkd` must be integers.
2020-10-13 22:39:02 +02:00
Maximilian Bosch
04a10b3355
nixos/tests/systemd-networkd-vrf: add comment about trailing whitespaces in test script
For further context please read the discussion in https://github.com/NixOS/nixpkgs/pull/94607#issuecomment-668070029
2020-08-03 17:43:56 +02:00
Maximilian Bosch
5bd1fb2884
nixos/tests/systemd-networkd-vrf: fix test
Broken while fixing some `.editorconfig`-definitions[1], however this
test explicitly relies on the output of `iproute2`.

[1] 8ae7f8c359
2020-08-03 16:47:40 +02:00
zowoq
8ae7f8c359 nixos/tests/*: editorconfig fixes 2020-08-04 00:23:54 +10:00
Maximilian Bosch
37e3cadb8b
nixos/systemd-networkd-vrf: implement working TCP test on a 5.x kernel
By design, VRFs allow route-leaking for forwarded packages, but not for
local processes using a socket. While it was possible to leak such TCP
traffic through a VRF on a 4.x kernel, this behavior was considered
wrong and got fixed in Linux 5.x[1].

From now on, local unix sockets must run in the VRF itself using
`ip vrf exec`[2] which basically injects a BPF program into the VRF and
drops elevated networking capabilities by default for the specified
command.

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3c82a21f4320c8d54cf6456b27c8d49e5ffb722e
[2] https://man7.org/linux/man-pages/man8/ip-vrf.8.html
2020-07-31 21:06:00 +02:00
Maximilian Bosch
58c7a952a1
nixos/networkd: disable vrf sub-test which tests the behavior of tcp-packets
The subtest was mainly written to demonstrate the VRF-issues with a
5.x-kernel. However this breaks the entire test now as we have 5.4 as
default kernel. Disabling the test for now, I still need to find some
time to investigate.
2020-02-25 19:54:57 +01:00
Maximilian Bosch
a0fd819a4a
nixos/networkd: add test for VRF configurations 2020-01-25 17:38:15 +01:00