smoke test: test firewall inbound / outbound (#240)
Test that basic inbound / outbound firewall rules work during the smoke test. This change sets an inbound firewall rule on host3, and a new host4 with outbound firewall rules. It also tests that conntrack allows packets once the connection has been established.
This commit is contained in:
2
.github/workflows/smoke.yml
vendored
2
.github/workflows/smoke.yml
vendored
@@ -14,7 +14,7 @@ on:
|
|||||||
jobs:
|
jobs:
|
||||||
|
|
||||||
smoke:
|
smoke:
|
||||||
name: Run 3 node smoke test
|
name: Run multi node smoke test
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
|
|
||||||
|
27
.github/workflows/smoke/build.sh
vendored
27
.github/workflows/smoke/build.sh
vendored
@@ -11,14 +11,29 @@ mkdir ./build
|
|||||||
cp ../../../../nebula .
|
cp ../../../../nebula .
|
||||||
cp ../../../../nebula-cert .
|
cp ../../../../nebula-cert .
|
||||||
|
|
||||||
HOST="lighthouse1" AM_LIGHTHOUSE=true ../genconfig.sh >lighthouse1.yml
|
HOST="lighthouse1" \
|
||||||
HOST="host2" LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" ../genconfig.sh >host2.yml
|
AM_LIGHTHOUSE=true \
|
||||||
HOST="host3" LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" ../genconfig.sh >host3.yml
|
../genconfig.sh >lighthouse1.yml
|
||||||
|
|
||||||
|
HOST="host2" \
|
||||||
|
LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" \
|
||||||
|
../genconfig.sh >host2.yml
|
||||||
|
|
||||||
|
HOST="host3" \
|
||||||
|
LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" \
|
||||||
|
INBOUND='[{"port": "any", "proto": "icmp", "group": "lighthouse"}]' \
|
||||||
|
../genconfig.sh >host3.yml
|
||||||
|
|
||||||
|
HOST="host4" \
|
||||||
|
LIGHTHOUSES="192.168.100.1 172.17.0.2:4242" \
|
||||||
|
OUTBOUND='[{"port": "any", "proto": "icmp", "group": "lighthouse"}]' \
|
||||||
|
../genconfig.sh >host4.yml
|
||||||
|
|
||||||
./nebula-cert ca -name "Smoke Test"
|
./nebula-cert ca -name "Smoke Test"
|
||||||
./nebula-cert sign -name "lighthouse1" -ip "192.168.100.1/24"
|
./nebula-cert sign -name "lighthouse1" -groups "lighthouse,lighthouse1" -ip "192.168.100.1/24"
|
||||||
./nebula-cert sign -name "host2" -ip "192.168.100.2/24"
|
./nebula-cert sign -name "host2" -groups "host,host2" -ip "192.168.100.2/24"
|
||||||
./nebula-cert sign -name "host3" -ip "192.168.100.3/24"
|
./nebula-cert sign -name "host3" -groups "host,host3" -ip "192.168.100.3/24"
|
||||||
|
./nebula-cert sign -name "host4" -groups "host,host4" -ip "192.168.100.4/24"
|
||||||
)
|
)
|
||||||
|
|
||||||
docker build -t nebula:smoke .
|
docker build -t nebula:smoke .
|
||||||
|
12
.github/workflows/smoke/genconfig.sh
vendored
12
.github/workflows/smoke/genconfig.sh
vendored
@@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
|
FIREWALL_ALL='[{"port": "any", "proto": "any", "host": "any"}]'
|
||||||
|
|
||||||
if [ "$STATIC_HOSTS" ] || [ "$LIGHTHOUSES" ]
|
if [ "$STATIC_HOSTS" ] || [ "$LIGHTHOUSES" ]
|
||||||
then
|
then
|
||||||
@@ -48,13 +49,6 @@ tun:
|
|||||||
dev: ${TUN_DEV:-nebula1}
|
dev: ${TUN_DEV:-nebula1}
|
||||||
|
|
||||||
firewall:
|
firewall:
|
||||||
outbound:
|
outbound: ${OUTBOUND:-$FIREWALL_ALL}
|
||||||
- port: any
|
inbound: ${INBOUND:-$FIREWALL_ALL}
|
||||||
proto: any
|
|
||||||
host: any
|
|
||||||
|
|
||||||
inbound:
|
|
||||||
- port: any
|
|
||||||
proto: any
|
|
||||||
host: any
|
|
||||||
EOF
|
EOF
|
||||||
|
27
.github/workflows/smoke/smoke.sh
vendored
27
.github/workflows/smoke/smoke.sh
vendored
@@ -5,6 +5,7 @@ set -e -x
|
|||||||
docker run --name lighthouse1 --rm nebula:smoke -config lighthouse1.yml -test
|
docker run --name lighthouse1 --rm nebula:smoke -config lighthouse1.yml -test
|
||||||
docker run --name host2 --rm nebula:smoke -config host2.yml -test
|
docker run --name host2 --rm nebula:smoke -config host2.yml -test
|
||||||
docker run --name host3 --rm nebula:smoke -config host3.yml -test
|
docker run --name host3 --rm nebula:smoke -config host3.yml -test
|
||||||
|
docker run --name host4 --rm nebula:smoke -config host4.yml -test
|
||||||
|
|
||||||
docker run --name lighthouse1 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm nebula:smoke -config lighthouse1.yml &
|
docker run --name lighthouse1 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm nebula:smoke -config lighthouse1.yml &
|
||||||
sleep 1
|
sleep 1
|
||||||
@@ -12,6 +13,8 @@ docker run --name host2 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN -
|
|||||||
sleep 1
|
sleep 1
|
||||||
docker run --name host3 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm nebula:smoke -config host3.yml &
|
docker run --name host3 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm nebula:smoke -config host3.yml &
|
||||||
sleep 1
|
sleep 1
|
||||||
|
docker run --name host4 --device /dev/net/tun:/dev/net/tun --cap-add NET_ADMIN --rm nebula:smoke -config host4.yml &
|
||||||
|
sleep 1
|
||||||
|
|
||||||
set +x
|
set +x
|
||||||
echo
|
echo
|
||||||
@@ -27,7 +30,8 @@ echo " *** Testing ping from host2"
|
|||||||
echo
|
echo
|
||||||
set -x
|
set -x
|
||||||
docker exec host2 ping -c1 192.168.100.1
|
docker exec host2 ping -c1 192.168.100.1
|
||||||
docker exec host2 ping -c1 192.168.100.3
|
# Should fail because not allowed by host3 inbound firewall
|
||||||
|
! docker exec host2 ping -c1 192.168.100.3 -w5 || exit 1
|
||||||
|
|
||||||
set +x
|
set +x
|
||||||
echo
|
echo
|
||||||
@@ -36,3 +40,24 @@ echo
|
|||||||
set -x
|
set -x
|
||||||
docker exec host3 ping -c1 192.168.100.1
|
docker exec host3 ping -c1 192.168.100.1
|
||||||
docker exec host3 ping -c1 192.168.100.2
|
docker exec host3 ping -c1 192.168.100.2
|
||||||
|
|
||||||
|
set +x
|
||||||
|
echo
|
||||||
|
echo " *** Testing ping from host4"
|
||||||
|
echo
|
||||||
|
set -x
|
||||||
|
docker exec host4 ping -c1 192.168.100.1
|
||||||
|
# Should fail because not allowed by host4 outbound firewall
|
||||||
|
! docker exec host4 ping -c1 192.168.100.2 -w5 || exit 1
|
||||||
|
! docker exec host4 ping -c1 192.168.100.3 -w5 || exit 1
|
||||||
|
|
||||||
|
set +x
|
||||||
|
echo
|
||||||
|
echo " *** Testing conntrack"
|
||||||
|
echo
|
||||||
|
set -x
|
||||||
|
# host2 can ping host3 now that host3 pinged it first
|
||||||
|
docker exec host2 ping -c1 192.168.100.3
|
||||||
|
# host4 can ping host2 once conntrack established
|
||||||
|
docker exec host2 ping -c1 192.168.100.4
|
||||||
|
docker exec host4 ping -c1 192.168.100.2
|
||||||
|
Reference in New Issue
Block a user