From: ludo@gnu.org (Ludovic Courtès)
To: Arun Isaac <arunisaac@systemreboot.net>
Cc: 32465@debbugs.gnu.org
Subject: [bug#32465] Add iptables service
Date: Tue, 04 Sep 2018 15:14:59 +0200 [thread overview]
Message-ID: <87lg8hbe0c.fsf@gnu.org> (raw)
In-Reply-To: <cu7tvnt6xss.fsf@systemreboot.net> (Arun Isaac's message of "Fri, 17 Aug 2018 16:54:19 +0530")
Hello Arun,
Sorry for the delay, everyone must have been on vacations for a while.
:-)
Arun Isaac <arunisaac@systemreboot.net> skribis:
> I have written a service to configure iptables rules. What tests should
> I write for this service? I see the following two approaches to tests:
>
> - Dump the iptables rules using iptables-save and verify that they
> matches the configured rules.
> - Configure iptables to block certain ports and allow some other
> ports. Then, run a service on those ports and check if it is possible to
> reach them.
Both approaches LGTM.
> After we have iterated a few times, and converged on the final patch for
> this service, I will also contribute a similar service for ip6tables.
Neat!
>>From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001
> From: Arun Isaac <arunisaac@systemreboot.net>
> Date: Fri, 17 Aug 2018 16:39:07 +0530
> Subject: [PATCH] gnu: services: Add iptables service.
>
> * gnu/services/networking.scm (<iptables-configuration>): New record type.
> (iptables-service-type): New variable.
> * doc/guix.texi (Networking Services): Document it.
[...]
> +@defvr {Scheme Variabe} iptables-service-type
> +This is the service type to set up an iptables coniguration. iptables is a
> +packet filtering framework supported by the Linux kernel. It can be
> +instantiated as:
> +
> +@lisp
> +(service iptables-service-type
> + (iptables-configuration
> + (rules (local-file "iptables.rules"))))
> +@end lisp
“@end defvr” should be here.
What about adding either an “iptables.rules” example, a link to
upstream’s documentation, or both?
> +(define iptables-shepherd-service
> + (match-lambda
> + (($ <iptables-configuration> iptables rules)
> + (let ((iptables-restore (file-append iptables "/sbin/iptables-restore")))
> + (shepherd-service
> + (documentation "Packet filtering framework")
> + (provision '(iptables))
> + (start #~(lambda _ (invoke #$iptables-restore #$rules)))
> + (stop #~(lambda _ (invoke #$iptables-restore
> + #$(plain-file "iptables.rules"
> + "*filter
> +:INPUT ACCEPT [0:0]
> +:FORWARD ACCEPT [0:0]
> +:OUTPUT ACCEPT [0:0]
> +COMMIT
> +")))))))))
I was thinking that ‘stop’ might undo more than we want, but OTOH, when
the service starts, there are no rules loaded anyway. So I guess this
is fine.
It would be great if you could get a system test as you suggest, but
anyhow it looks great to me.
Thanks,
Ludo’.
next prev parent reply other threads:[~2018-09-04 13:16 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-17 11:24 [bug#32465] Add iptables service Arun Isaac
2018-09-04 13:14 ` Ludovic Courtès [this message]
2018-09-04 13:52 ` Julien Lepiller
2018-09-05 9:40 ` Arun Isaac
2018-09-10 12:51 ` Ludovic Courtès
2018-09-05 9:42 ` Arun Isaac
2018-09-14 10:59 ` Arun Isaac
2018-09-17 21:05 ` Ludovic Courtès
2018-09-18 6:24 ` Arun Isaac
2018-09-18 14:39 ` Ludovic Courtès
2018-09-18 16:02 ` Arun Isaac
2018-09-19 20:41 ` Ludovic Courtès
2018-09-20 7:50 ` bug#32465: " Arun Isaac
2018-09-11 6:53 ` [bug#32465] " Björn Höfling
2018-09-11 8:43 ` Arun Isaac
2018-09-15 12:27 ` Rutger Helling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87lg8hbe0c.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=32465@debbugs.gnu.org \
--cc=arunisaac@systemreboot.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).