From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54835)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g29RZ-0004gC-Mb
	for guix-patches@gnu.org; Tue, 18 Sep 2018 02:25:06 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g29RW-0005Cc-Gg
	for guix-patches@gnu.org; Tue, 18 Sep 2018 02:25:05 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:39302)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1g29RW-0005CY-C1
	for guix-patches@gnu.org; Tue, 18 Sep 2018 02:25:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g29RW-0003Fh-7o
	for guix-patches@gnu.org; Tue, 18 Sep 2018 02:25:02 -0400
Subject: [bug#32465] Add iptables service
Resent-Message-ID: <handler.32465.B32465.153725188512471@debbugs.gnu.org>
From: Arun Isaac <arunisaac@systemreboot.net>
In-Reply-To: <87va734yxd.fsf@gnu.org>
References: <cu7tvnt6xss.fsf@systemreboot.net> <87lg8hbe0c.fsf@gnu.org>
	<cu7wos02sch.fsf@systemreboot.net> <cu7efdwwdj6.fsf@systemreboot.net>
	<87va734yxd.fsf@gnu.org>
Date: Tue, 18 Sep 2018 11:54:31 +0530
Message-ID: <cu736u7cogw.fsf@systemreboot.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 32465@debbugs.gnu.org


>> - Is the example I added for the iptables.rules sufficient? I couldn't
>>   find upstream documentation for the iptables.rules format. I suspect
>>   it doesn't exist. Do you know of any upstream documentation that can
>>   be referred to here?
>
> From a quick search it must be <https://netfilter.org/documentation/>,
> specifically <https://netfilter.org/documentation/HOWTO//packet-filtering=
-HOWTO.html>.

This is general documentation for netfilter, not specific documentation
about the iptables.rules format. For that, I don't think there is
upstream documentation.

https://unix.stackexchange.com/questions/400163/netfilter-iptables-restore-=
file-format-documentation/400203

>> +        (stop #~(lambda _
>> +                  (invoke #$iptables-restore #$%iptables-accept-all-rul=
es)
>> +                  (invoke #$ip6tables-restore #$%iptables-accept-all-ru=
les))))))))
>
> There=E2=80=99s a peculiarity of =E2=80=98stop=E2=80=99 which is that it =
must return #f on
> success.  So here, you just need to add a trailing #f after the second
> =E2=80=98invoke=E2=80=99 call.  If you do that, I suppose the test that s=
tops the
> firewall will pass.

There was one problem with stop-service being an unbound variable. I
fixed that by adding (use-modules (gnu services herd)). But, now the
test just freezes up. I wonder if it is waiting for some timeout. Here
is the snippet for the test I am currently using. Also, returning #f
from stop didn't make a difference.

(test-assert "inetd echo service is accessible after iptables firewall is s=
topped"
  (begin
    (marionette-eval
     '(begin
        (use-modules (gnu services herd))
        (stop-service 'iptables))
     marionette)
    (wait-for-tcp-port inetd-echo-port marionette #:timeout 5)))