[bug#32465] Add iptables service

[Ludovic Courtès]

Hi Arun,

Arun Isaac <address@hidden> skribis:

> I generalized this service to work for both iptables and ip6tables. I
> added system tests, and made the other corrections that were
> suggested. Some questions follow.
>
> - Is the example I added for the iptables.rules sufficient? I couldn't
>   find upstream documentation for the iptables.rules format. I suspect
>   it doesn't exist. Do you know of any upstream documentation that can
>   be referred to here?

>From a quick search it must be <https://netfilter.org/documentation/>,
specifically 
<https://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html>.

> - In the attached patch, the fourth test ("inetd echo service is
>   accessible after iptables firewall is stopped") doesn't work. In that
>   service, I am trying to stop the iptables service, but I'm not able
>   to. How do I programmatically stop the iptables service? Is what I
>   have done correct?

[...]

> +       (shepherd-service
> +        (documentation "Packet filtering framework")
> +        (provision '(iptables))
> +        (start #~(lambda _
> +                   (invoke #$iptables-restore #$ipv4-rules)
> +                   (invoke #$ip6tables-restore #$ipv6-rules)))
> +        (stop #~(lambda _
> +                  (invoke #$iptables-restore #$%iptables-accept-all-rules)
> +                  (invoke #$ip6tables-restore 
> #$%iptables-accept-all-rules))))))))

There’s a peculiarity of ‘stop’ which is that it must return #f on
success.  So here, you just need to add a trailing #f after the second
‘invoke’ call.  If you do that, I suppose the test that stops the
firewall will pass.

And if it does, I think you can go ahead and push!  :-)

Thank you,
Ludo’.