From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:36458)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g20iY-0008CC-VM
	for guix-patches@gnu.org; Mon, 17 Sep 2018 17:06:03 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g20iY-0007ES-3c
	for guix-patches@gnu.org; Mon, 17 Sep 2018 17:06:02 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:39158)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1g20iX-0007EK-W1
	for guix-patches@gnu.org; Mon, 17 Sep 2018 17:06:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g20iX-0001W3-Pe
	for guix-patches@gnu.org; Mon, 17 Sep 2018 17:06:01 -0400
Subject: [bug#32465] Add iptables service
Resent-Message-ID: <handler.32465.B32465.15372183615824@debbugs.gnu.org>
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <cu7tvnt6xss.fsf@systemreboot.net> <87lg8hbe0c.fsf@gnu.org>
	<cu7wos02sch.fsf@systemreboot.net> <cu7efdwwdj6.fsf@systemreboot.net>
Date: Mon, 17 Sep 2018 23:05:50 +0200
In-Reply-To: <cu7efdwwdj6.fsf@systemreboot.net> (Arun Isaac's message of "Fri,
	14 Sep 2018 16:29:09 +0530")
Message-ID: <87va734yxd.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Arun Isaac <arunisaac@systemreboot.net>
Cc: 32465@debbugs.gnu.org

Hi Arun,

Arun Isaac <arunisaac@systemreboot.net> skribis:

> I generalized this service to work for both iptables and ip6tables. I
> added system tests, and made the other corrections that were
> suggested. Some questions follow.
>
> - Is the example I added for the iptables.rules sufficient? I couldn't
>   find upstream documentation for the iptables.rules format. I suspect
>   it doesn't exist. Do you know of any upstream documentation that can
>   be referred to here?

>From a quick search it must be <https://netfilter.org/documentation/>,
specifically <https://netfilter.org/documentation/HOWTO//packet-filtering-H=
OWTO.html>.

> - In the attached patch, the fourth test ("inetd echo service is
>   accessible after iptables firewall is stopped") doesn't work. In that
>   service, I am trying to stop the iptables service, but I'm not able
>   to. How do I programmatically stop the iptables service? Is what I
>   have done correct?

[...]

> +       (shepherd-service
> +        (documentation "Packet filtering framework")
> +        (provision '(iptables))
> +        (start #~(lambda _
> +                   (invoke #$iptables-restore #$ipv4-rules)
> +                   (invoke #$ip6tables-restore #$ipv6-rules)))
> +        (stop #~(lambda _
> +                  (invoke #$iptables-restore #$%iptables-accept-all-rule=
s)
> +                  (invoke #$ip6tables-restore #$%iptables-accept-all-rul=
es))))))))

There=E2=80=99s a peculiarity of =E2=80=98stop=E2=80=99 which is that it mu=
st return #f on
success.  So here, you just need to add a trailing #f after the second
=E2=80=98invoke=E2=80=99 call.  If you do that, I suppose the test that sto=
ps the
firewall will pass.

And if it does, I think you can go ahead and push!  :-)

Thank you,
Ludo=E2=80=99.