[bug#32465] Add iptables service

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#32465] Add iptables service

From:	Arun Isaac
Subject:	[bug#32465] Add iptables service
Date:	Fri, 17 Aug 2018 16:54:19 +0530

I have written a service to configure iptables rules. What tests should
I write for this service? I see the following two approaches to tests:

- Dump the iptables rules using iptables-save and verify that they
  matches the configured rules.
- Configure iptables to block certain ports and allow some other
  ports. Then, run a service on those ports and check if it is possible to
  reach them.

After we have iterated a few times, and converged on the final patch for
this service, I will also contribute a similar service for ip6tables.

>From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001
From: Arun Isaac <address@hidden>
Date: Fri, 17 Aug 2018 16:39:07 +0530
Subject: [PATCH] gnu: services: Add iptables service.

* gnu/services/networking.scm (<iptables-configuration>): New record type.
(iptables-service-type): New variable.
* doc/guix.texi (Networking Services): Document it.
---
 doc/guix.texi               | 27 ++++++++++++++++++++++
 gnu/services/networking.scm | 45 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 0b72e5d8c..d5ff43811 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -11287,6 +11287,33 @@ Thus, it can be instantiated like this:
 @end lisp
 @end defvr
 
address@hidden iptables
address@hidden {Scheme Variabe} iptables-service-type
+This is the service type to set up an iptables coniguration. iptables is a
+packet filtering framework supported by the Linux kernel.  It can be
+instantiated as:
+
address@hidden
+(service iptables-service-type
+        (iptables-configuration
+         (rules (local-file "iptables.rules"))))
address@hidden lisp
+
address@hidden {Data Type} iptables-configuration
+The data type representing the configuration of @command{iptables}.
+
address@hidden @asis
address@hidden @code{iptables} (default: @code{iptables})
+The iptables package that provides @code{iptables-restore}.
address@hidden @code{rules}
+The iptables rules to use.  This is required.  It will be passed to
address@hidden  This may be any ``file-like'' object
+(@pxref{G-Expressions, file-like objects}).
address@hidden table
address@hidden deftp
+
address@hidden defvr
+
 @cindex NTP
 @cindex real time clock
 @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index d5d0cf9d1..46e0ee3d0 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2017 Thomas Danckaert <address@hidden>
 ;;; Copyright © 2017 Marius Bakke <address@hidden>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <address@hidden>
+;;; Copyright © 2018 Arun Isaac <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -102,7 +103,13 @@
             wpa-supplicant-service-type
 
             openvswitch-service-type
-            openvswitch-configuration))
+            openvswitch-configuration
+
+            iptables-configuration
+            iptables-configuration?
+            iptables-configuration-iptables
+            iptables-configuration-rules
+            iptables-service-type))
 
 ;;; Commentary:
 ;;;
@@ -1086,4 +1093,40 @@ networking."))))
 switch designed to enable massive network automation through programmatic
 extension.")))
 
+;;;
+;;; iptables
+;;;
+
+(define-record-type* <iptables-configuration>
+  iptables-configuration make-iptables-configuration iptables-configuration?
+  (iptables iptables-configuration-iptables
+            (default iptables))
+  (rules iptables-configuration-rules))
+
+(define iptables-shepherd-service
+  (match-lambda
+    (($ <iptables-configuration> iptables rules)
+     (let ((iptables-restore (file-append iptables "/sbin/iptables-restore")))
+       (shepherd-service
+        (documentation "Packet filtering framework")
+        (provision '(iptables))
+        (start #~(lambda _ (invoke #$iptables-restore #$rules)))
+        (stop #~(lambda _ (invoke #$iptables-restore
+                                  #$(plain-file "iptables.rules"
+                                                "*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+")))))))))
+
+(define iptables-service-type
+  (service-type
+   (name 'iptables)
+   (description
+    "Run @command{iptables-restore}, setting up the specified rules.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list iptables-shepherd-service))))))
+
 ;;; networking.scm ends here
-- 
2.18.0

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#32465] Add iptables service, Arun Isaac <=

Prev by Date: bug#32453: [PATCH] gnu: restic: Set a variable to disable FUSE tests.
Next by Date: [bug#32468] Add dante
Previous by thread: [bug#32461] [PATCH] gnu: dtc: Update to 1.4.7.
Next by thread: [bug#32468] Add dante
Index(es):
- Date
- Thread