unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* Packaging ufw
@ 2018-11-10 16:01 swedebugia
  2018-11-10 18:19 ` swedebugia
  0 siblings, 1 reply; 7+ messages in thread
From: swedebugia @ 2018-11-10 16:01 UTC (permalink / raw)
  To: guix-devel

Hi

I like this firewall, has anybody started packaging it?

If not I'm going to try.

-- 
Cheers
Swedebugia

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Packaging ufw
  2018-11-10 16:01 Packaging ufw swedebugia
@ 2018-11-10 18:19 ` swedebugia
  2018-11-10 18:24   ` Brett Gilio
  2018-11-10 18:30   ` Pierre Neidhardt
  0 siblings, 2 replies; 7+ messages in thread
From: swedebugia @ 2018-11-10 18:19 UTC (permalink / raw)
  To: guix-devel

On 2018-11-10 17:01, swedebugia wrote:
> Hi
>
> I like this firewall, has anybody started packaging it?
>
> If not I'm going to try.
>
Where should it be? In networking.scm or python.scm?

We have no other firewall packages judging from my emacs-guix regex search.

-- 
Cheers
Swedebugia

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Packaging ufw
  2018-11-10 18:19 ` swedebugia
@ 2018-11-10 18:24   ` Brett Gilio
  2018-11-10 20:42     ` swedebugia
  2018-11-10 18:30   ` Pierre Neidhardt
  1 sibling, 1 reply; 7+ messages in thread
From: Brett Gilio @ 2018-11-10 18:24 UTC (permalink / raw)
  To: swedebugia; +Cc: guix-devel


swedebugia writes:

> On 2018-11-10 17:01, swedebugia wrote:
>> Hi
>>
>> I like this firewall, has anybody started packaging it?
>>
>> If not I'm going to try.
>>
> Where should it be? In networking.scm or python.scm?
>
> We have no other firewall packages judging from my emacs-guix regex search.

Since it is not a python library, I think it would make more sense for
it to be located in the networking module.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Packaging ufw
  2018-11-10 18:19 ` swedebugia
  2018-11-10 18:24   ` Brett Gilio
@ 2018-11-10 18:30   ` Pierre Neidhardt
  1 sibling, 0 replies; 7+ messages in thread
From: Pierre Neidhardt @ 2018-11-10 18:30 UTC (permalink / raw)
  To: swedebugia; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 113 bytes --]

Well, we have iptables, but ufw would probably not fit there :p

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Packaging ufw
  2018-11-10 18:24   ` Brett Gilio
@ 2018-11-10 20:42     ` swedebugia
  2018-11-10 21:25       ` Danny Milosavljevic
  0 siblings, 1 reply; 7+ messages in thread
From: swedebugia @ 2018-11-10 20:42 UTC (permalink / raw)
  To: Brett Gilio; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1371 bytes --]

Hi

On 2018-11-10 19:24, Brett Gilio wrote:
> swedebugia writes:
>
>> On 2018-11-10 17:01, swedebugia wrote:
>>> Hi
>>>
>>> I like this firewall, has anybody started packaging it?
>>>
>>> If not I'm going to try.
>>>
>> Where should it be? In networking.scm or python.scm?
>>
>> We have no other firewall packages judging from my emacs-guix regex search.
> Since it is not a python library, I think it would make more sense for
> it to be located in the networking module.

Ok.

I need help.

It fails with

starting phase `install'
running "python setup.py" with command "install" and parameters 
("--prefix=/gnu/store/v8kzgqs1jdfg7wzqr9c02719ada6x8bm-ufw-0.35" 
"--single-version-externally-managed" "--root=/" "--root=/")
Found 
'/gnu/store/8assqq8vmmvn09cysg5nm3kf2075hvxd-iptables-1.6.2/sbin/iptables' 
version '1.6.2\n''
usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
    or: -c --help [cmd1 cmd2 ...]
    or: -c --help-commands
    or: -c cmd --help

error: option --single-version-externally-managed not recognized

This option comes from the python-build-system.

Replacing the install phase seems necessary. But I don't know how to do 
that and did not find good examples in python.scm.

Logs and patch attached...

(also the tests fail see comment in the patch)

-- 
Cheers
Swedebugia


[-- Attachment #2: 46z1sp5bnh0j8dli9g2ppinkss6km9-ufw-0.35.drv.bz2 --]
[-- Type: application/x-bzip, Size: 5338 bytes --]

[-- Attachment #3: 0001-gnu-Add-ufw.patch --]
[-- Type: text/x-patch, Size: 2592 bytes --]

From fda52be7de905c3f73f301ac1b218fdd026deece Mon Sep 17 00:00:00 2001
From: swedebugia <swedebugia@riseup.net>
Date: Sat, 10 Nov 2018 21:39:04 +0100
Subject: [PATCH] gnu: Add ufw

* gnu/packages/networking.scm: New variable.
---
 gnu/packages/networking.scm | 43 +++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 5504742fa..b630676db 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -2262,3 +2262,46 @@ allow all other machines, without direct access to that network, to be relayed
 through the machine the Dante server is running on.  The external network will
 never see any machines other than the one Dante is running on.")
     (license (license:non-copyleft "file://LICENSE"))))
+
+(define-public ufw
+  ;; Select the branch named "release/0.35":
+  (let* ((commit "fd93d37a782d4f736201df508fb86e72641874d8"))
+    (package
+    (name "ufw")
+    (version "0.35")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://git.launchpad.net/ufw")
+                    (commit commit)))
+              (sha256
+               (base32
+                "10r2ga1w5vmg8m4z5yim01cd0g8cs6ws2h65vaj6ilg8yp8d90f9"))
+              (file-name (git-file-name name version))))
+    (build-system python-build-system)
+    (inputs `(("iptables" ,iptables)))
+    (arguments
+     ;; FIXME: All tests fail with: ModuleNotFoundError: No module named
+     ;; 'ufw'
+     '(#:tests? #f
+       #:phases
+       (modify-phases %standard-phases
+         (add-before 'build 'fix-iptables-path
+           (lambda* (#:key inputs #:allow-other-keys)
+             (substitute* "setup.py"
+               (("iptables_exe = ''")
+                (string-append "iptables_exe = '"
+                               (assoc-ref inputs "iptables")
+                               "/sbin/iptables'")))
+             (substitute* "setup.py"
+               (("iptables_dir = ''")
+                (string-append "iptables_dir = '"
+                               (assoc-ref inputs "iptables")
+                               "/sbin/'"))))))))
+    (home-page "https://launchpad.net/ufw")
+    (synopsis "Uncomplicated firewall")
+    (description "Uncomplicated Firewall (UFW) is a program for managing a
+netfilter firewall designed to be easy to use.  It uses a command-line
+interface consisting of a small number of simple commands, and uses iptables
+for configuration.")
+    (license license:gpl3))))
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: Packaging ufw
  2018-11-10 20:42     ` swedebugia
@ 2018-11-10 21:25       ` Danny Milosavljevic
  0 siblings, 0 replies; 7+ messages in thread
From: Danny Milosavljevic @ 2018-11-10 21:25 UTC (permalink / raw)
  To: swedebugia; +Cc: guix-devel

[-- Attachment #1: Type: text/plain, Size: 2269 bytes --]

Hi,

On Sat, 10 Nov 2018 21:42:38 +0100
swedebugia <swedebugia@riseup.net> wrote:

> I need help.
> 
> It fails with
> 
> starting phase `install'
> running "python setup.py" with command "install" and parameters 
> ("--prefix=/gnu/store/v8kzgqs1jdfg7wzqr9c02719ada6x8bm-ufw-0.35" 
> "--single-version-externally-managed" "--root=/" "--root=/")
> Found 
> '/gnu/store/8assqq8vmmvn09cysg5nm3kf2075hvxd-iptables-1.6.2/sbin/iptables' 
> version '1.6.2\n''
> usage: -c [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
>     or: -c --help [cmd1 cmd2 ...]
>     or: -c --help-commands
>     or: -c cmd --help
> 
> error: option --single-version-externally-managed not recognized
> 
> This option comes from the python-build-system.

Yes, and it elaborates (in guix/guix/build/python-build-system.scm):

>;; Pip behaves a bit different then easy_install: it always executes
>;; "setup.py" with the option "--single-version-externally-managed" set.  This
>;; makes setuptools' "install" command run the original "install" command
>;; instead of the "easy_install" command, so no .pth file (and no site.py)
>;; will be created.  The "site-packages" directory only contains the package
>;; and the related .egg-info directory.
>;;
>;; This is exactly what we need for Guix and this is what we mimic in the
>;; install phase below.

>(define* (install #:key outputs (configure-flags '()) use-setuptools?
>                  #:allow-other-keys)
>  "Install a given Python package."
>  (let* ((out (assoc-ref outputs "out"))
>         (params (append (list (string-append "--prefix=" out))
>                         (if use-setuptools?

                              ^---- Aha!

>                             ;; distutils does not accept these flags
>
>                             (list "--single-version-externally-managed"
>                                    "--root=/")
>                             '())
>                         configure-flags)))
>    (call-setuppy "install" params use-setuptools?)
>    #t))

Try specifying

(arguments
 `(#:use-setuptools? #f))

in the package.

But if ufw doesn't use "--single-version-externally-managed", that implies
that ufw is not available on PyPI.  Weird.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Packaging ufw
@ 2018-11-11  1:30 Jeremiah
  0 siblings, 0 replies; 7+ messages in thread
From: Jeremiah @ 2018-11-11  1:30 UTC (permalink / raw)
  To: guix-devel

> I like this firewall, has anybody started packaging it?
No, possibly because it doesn't add much when one has iptables and a
guix configuration script for it.

> We have no other firewall packages judging from my emacs-guix regex
> search.
We have iptables and ebtables
and I suggest you consider the following iptables/ip6tables rules:
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

You could easily lock it down further but one piece of software needed
on servers missing on guix is port knocking software.

-Jeremiah

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2018-11-11  1:30 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-11-10 16:01 Packaging ufw swedebugia
2018-11-10 18:19 ` swedebugia
2018-11-10 18:24   ` Brett Gilio
2018-11-10 20:42     ` swedebugia
2018-11-10 21:25       ` Danny Milosavljevic
2018-11-10 18:30   ` Pierre Neidhardt
  -- strict thread matches above, loose matches on Subject: below --
2018-11-11  1:30 Jeremiah

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).