From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58889) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fxBBk-0001vg-Bm for guix-patches@gnu.org; Tue, 04 Sep 2018 09:16:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fxBBe-0001es-LS for guix-patches@gnu.org; Tue, 04 Sep 2018 09:16:12 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:40141) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fxBBb-0001c8-JK for guix-patches@gnu.org; Tue, 04 Sep 2018 09:16:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fxBBZ-0005MI-UQ for guix-patches@gnu.org; Tue, 04 Sep 2018 09:16:03 -0400 Subject: [bug#32465] Add iptables service Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: Date: Tue, 04 Sep 2018 15:14:59 +0200 In-Reply-To: (Arun Isaac's message of "Fri, 17 Aug 2018 16:54:19 +0530") Message-ID: <87lg8hbe0c.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Arun Isaac Cc: 32465@debbugs.gnu.org Hello Arun, Sorry for the delay, everyone must have been on vacations for a while. :-) Arun Isaac skribis: > I have written a service to configure iptables rules. What tests should > I write for this service? I see the following two approaches to tests: > > - Dump the iptables rules using iptables-save and verify that they > matches the configured rules. > - Configure iptables to block certain ports and allow some other > ports. Then, run a service on those ports and check if it is possible to > reach them. Both approaches LGTM. > After we have iterated a few times, and converged on the final patch for > this service, I will also contribute a similar service for ip6tables. Neat! >>>From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001 > From: Arun Isaac > Date: Fri, 17 Aug 2018 16:39:07 +0530 > Subject: [PATCH] gnu: services: Add iptables service. > > * gnu/services/networking.scm (): New record type. > (iptables-service-type): New variable. > * doc/guix.texi (Networking Services): Document it. [...] > +@defvr {Scheme Variabe} iptables-service-type > +This is the service type to set up an iptables coniguration. iptables is= a > +packet filtering framework supported by the Linux kernel. It can be > +instantiated as: > + > +@lisp > +(service iptables-service-type > + (iptables-configuration > + (rules (local-file "iptables.rules")))) > +@end lisp =E2=80=9C@end defvr=E2=80=9D should be here. What about adding either an =E2=80=9Ciptables.rules=E2=80=9D example, a lin= k to upstream=E2=80=99s documentation, or both? > +(define iptables-shepherd-service > + (match-lambda > + (($ iptables rules) > + (let ((iptables-restore (file-append iptables "/sbin/iptables-resto= re"))) > + (shepherd-service > + (documentation "Packet filtering framework") > + (provision '(iptables)) > + (start #~(lambda _ (invoke #$iptables-restore #$rules))) > + (stop #~(lambda _ (invoke #$iptables-restore > + #$(plain-file "iptables.rules" > + "*filter > +:INPUT ACCEPT [0:0] > +:FORWARD ACCEPT [0:0] > +:OUTPUT ACCEPT [0:0] > +COMMIT > +"))))))))) I was thinking that =E2=80=98stop=E2=80=99 might undo more than we want, bu= t OTOH, when the service starts, there are no rules loaded anyway. So I guess this is fine. It would be great if you could get a system test as you suggest, but anyhow it looks great to me. Thanks, Ludo=E2=80=99.