From: Julien Lepiller <julien@lepiller.eu>
To: 32465@debbugs.gnu.org
Subject: [bug#32465] Add iptables service
Date: Tue, 04 Sep 2018 15:52:38 +0200 [thread overview]
Message-ID: <0dd58c95062371f585a17899387bfdeb@lepiller.eu> (raw)
In-Reply-To: <87lg8hbe0c.fsf@gnu.org>
Hi,
it's not directly an answer to arun's patch (it is great), but I
recently came accross firemason
(http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and
https://github.com/BillHallahan/FireMason) and I thought we could
implement something similar. Basically, we declare a list of rules in
the iptables service, and we let other services extend that. A rule
would be a specification, independent of the order in which they are
specified. "Any packet that matches this rule must be rejected".
Of course, this means that we may have conflicting specifications, for
instance "any packet from this ip must be dropped" and "any packet
entering on this port must be accepted" are in conflict for packets
entering on this port from this ip address. All we need is a mechanism
to explicit these cases (when a packet may be dropped or accepted at the
same time), such as "repair: packets from this ip on this port must be
dropped", so the service will effectively see these rules: "any packet
from this ip must be dropped" and "any packet entering on this port but
not this ip must be accepted", then translated to:
-A INPUT -s ! <ip> -p tcp --dport <port> -j ACCEPT
-A INPUT -s <ip> ACCEPT
(see how they are independent from the order in which they are
declared?)
The hard part is to detect a conflict between two rules and give hints
to the user as to how to fix that.
Of course, we should provide a mechanism to load files as a fallback, in
which case additional rules from services should be ignored.
What do you think?
PS: Arun, in your patch for the manual you say: "This is the service
type to set up an iptables coniguration". This should be
"configuration".
next prev parent reply other threads:[~2018-09-04 13:53 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-17 11:24 [bug#32465] Add iptables service Arun Isaac
2018-09-04 13:14 ` Ludovic Courtès
2018-09-04 13:52 ` Julien Lepiller [this message]
2018-09-05 9:40 ` Arun Isaac
2018-09-10 12:51 ` Ludovic Courtès
2018-09-05 9:42 ` Arun Isaac
2018-09-14 10:59 ` Arun Isaac
2018-09-17 21:05 ` Ludovic Courtès
2018-09-18 6:24 ` Arun Isaac
2018-09-18 14:39 ` Ludovic Courtès
2018-09-18 16:02 ` Arun Isaac
2018-09-19 20:41 ` Ludovic Courtès
2018-09-20 7:50 ` bug#32465: " Arun Isaac
2018-09-11 6:53 ` [bug#32465] " Björn Höfling
2018-09-11 8:43 ` Arun Isaac
2018-09-15 12:27 ` Rutger Helling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0dd58c95062371f585a17899387bfdeb@lepiller.eu \
--to=julien@lepiller.eu \
--cc=32465@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).