From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001 From: Arun Isaac Date: Fri, 17 Aug 2018 16:39:07 +0530 Subject: [PATCH] gnu: services: Add iptables service. * gnu/services/networking.scm (): New record type. (iptables-service-type): New variable. * doc/guix.texi (Networking Services): Document it. --- doc/guix.texi | 27 ++++++++++++++++++++++ gnu/services/networking.scm | 45 ++++++++++++++++++++++++++++++++++++- 2 files changed, 71 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 0b72e5d8c..d5ff43811 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11287,6 +11287,33 @@ Thus, it can be instantiated like this: @end lisp @end defvr +@cindex iptables +@defvr {Scheme Variabe} iptables-service-type +This is the service type to set up an iptables coniguration. iptables is a +packet filtering framework supported by the Linux kernel. It can be +instantiated as: + +@lisp +(service iptables-service-type + (iptables-configuration + (rules (local-file "iptables.rules")))) +@end lisp + +@deftp {Data Type} iptables-configuration +The data type representing the configuration of @command{iptables}. + +@table @asis +@item @code{iptables} (default: @code{iptables}) +The iptables package that provides @code{iptables-restore}. +@item @code{rules} +The iptables rules to use. This is required. It will be passed to +@code{iptables-restore}. This may be any ``file-like'' object +(@pxref{G-Expressions, file-like objects}). +@end table +@end deftp + +@end defvr + @cindex NTP @cindex real time clock @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @ diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index d5d0cf9d1..46e0ee3d0 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2017 Thomas Danckaert ;;; Copyright © 2017 Marius Bakke ;;; Copyright © 2018 Tobias Geerinckx-Rice +;;; Copyright © 2018 Arun Isaac ;;; ;;; This file is part of GNU Guix. ;;; @@ -102,7 +103,13 @@ wpa-supplicant-service-type openvswitch-service-type - openvswitch-configuration)) + openvswitch-configuration + + iptables-configuration + iptables-configuration? + iptables-configuration-iptables + iptables-configuration-rules + iptables-service-type)) ;;; Commentary: ;;; @@ -1086,4 +1093,40 @@ networking.")))) switch designed to enable massive network automation through programmatic extension."))) +;;; +;;; iptables +;;; + +(define-record-type* + iptables-configuration make-iptables-configuration iptables-configuration? + (iptables iptables-configuration-iptables + (default iptables)) + (rules iptables-configuration-rules)) + +(define iptables-shepherd-service + (match-lambda + (($ iptables rules) + (let ((iptables-restore (file-append iptables "/sbin/iptables-restore"))) + (shepherd-service + (documentation "Packet filtering framework") + (provision '(iptables)) + (start #~(lambda _ (invoke #$iptables-restore #$rules))) + (stop #~(lambda _ (invoke #$iptables-restore + #$(plain-file "iptables.rules" + "*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +"))))))))) + +(define iptables-service-type + (service-type + (name 'iptables) + (description + "Run @command{iptables-restore}, setting up the specified rules.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list iptables-shepherd-service)))))) + ;;; networking.scm ends here -- 2.18.0