From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:51070)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fqcsN-00008l-Rf
	for guix-patches@gnu.org; Fri, 17 Aug 2018 07:25:08 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fqcsK-0008A2-Mw
	for guix-patches@gnu.org; Fri, 17 Aug 2018 07:25:07 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:48265)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fqcsK-00089l-HK
	for guix-patches@gnu.org; Fri, 17 Aug 2018 07:25:04 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fqcsK-0003qp-88
	for guix-patches@gnu.org; Fri, 17 Aug 2018 07:25:04 -0400
Subject: [bug#32465] Add iptables service
Resent-Message-ID: <handler.32465.B.153450508514767@debbugs.gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50931)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <arunisaac@systemreboot.net>) id 1fqcrs-0008KH-BD
	for guix-patches@gnu.org; Fri, 17 Aug 2018 07:24:37 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <arunisaac@systemreboot.net>) id 1fqcrp-0007mv-6c
	for guix-patches@gnu.org; Fri, 17 Aug 2018 07:24:36 -0400
Received: from vultr.systemreboot.net ([45.77.148.100]:58906)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <arunisaac@systemreboot.net>)
	id 1fqcro-0007ka-Ox
	for guix-patches@gnu.org; Fri, 17 Aug 2018 07:24:33 -0400
Received: from [192.168.2.1] (helo=steel) by systemreboot.net with esmtpsa
	(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.91) (envelope-from <arunisaac@systemreboot.net>)
	id 1fqcri-0005qK-6h
	for guix-patches@gnu.org; Fri, 17 Aug 2018 16:54:27 +0530
From: Arun Isaac <arunisaac@systemreboot.net>
Date: Fri, 17 Aug 2018 16:54:19 +0530
Message-ID: <cu7tvnt6xss.fsf@systemreboot.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: 32465@debbugs.gnu.org

--=-=-=
Content-Type: text/plain


I have written a service to configure iptables rules. What tests should
I write for this service? I see the following two approaches to tests:

- Dump the iptables rules using iptables-save and verify that they
  matches the configured rules.
- Configure iptables to block certain ports and allow some other
  ports. Then, run a service on those ports and check if it is possible to
  reach them.

After we have iterated a few times, and converged on the final patch for
this service, I will also contribute a similar service for ip6tables.


--=-=-=
Content-Type: text/x-patch; charset=utf-8
Content-Disposition: inline;
 filename=0001-gnu-services-Add-iptables-service.patch
Content-Transfer-Encoding: quoted-printable

>From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001
From: Arun Isaac <arunisaac@systemreboot.net>
Date: Fri, 17 Aug 2018 16:39:07 +0530
Subject: [PATCH] gnu: services: Add iptables service.

* gnu/services/networking.scm (<iptables-configuration>): New record type.
(iptables-service-type): New variable.
* doc/guix.texi (Networking Services): Document it.
---
 doc/guix.texi               | 27 ++++++++++++++++++++++
 gnu/services/networking.scm | 45 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 0b72e5d8c..d5ff43811 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -11287,6 +11287,33 @@ Thus, it can be instantiated like this:
 @end lisp
 @end defvr
=20
+@cindex iptables
+@defvr {Scheme Variabe} iptables-service-type
+This is the service type to set up an iptables coniguration. iptables is a
+packet filtering framework supported by the Linux kernel.  It can be
+instantiated as:
+
+@lisp
+(service iptables-service-type
+	 (iptables-configuration
+	  (rules (local-file "iptables.rules"))))
+@end lisp
+
+@deftp {Data Type} iptables-configuration
+The data type representing the configuration of @command{iptables}.
+
+@table @asis
+@item @code{iptables} (default: @code{iptables})
+The iptables package that provides @code{iptables-restore}.
+@item @code{rules}
+The iptables rules to use.  This is required.  It will be passed to
+@code{iptables-restore}.  This may be any ``file-like'' object
+(@pxref{G-Expressions, file-like objects}).
+@end table
+@end deftp
+
+@end defvr
+
 @cindex NTP
 @cindex real time clock
 @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index d5d0cf9d1..46e0ee3d0 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -7,6 +7,7 @@
 ;;; Copyright =C2=A9 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright =C2=A9 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright =C2=A9 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright =C2=A9 2018 Arun Isaac <arunisaac@systemreboot.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -102,7 +103,13 @@
             wpa-supplicant-service-type
=20
             openvswitch-service-type
-            openvswitch-configuration))
+            openvswitch-configuration
+
+            iptables-configuration
+            iptables-configuration?
+            iptables-configuration-iptables
+            iptables-configuration-rules
+            iptables-service-type))
=20
 ;;; Commentary:
 ;;;
@@ -1086,4 +1093,40 @@ networking."))))
 switch designed to enable massive network automation through programmatic
 extension.")))
=20
+;;;
+;;; iptables
+;;;
+
+(define-record-type* <iptables-configuration>
+  iptables-configuration make-iptables-configuration iptables-configuratio=
n?
+  (iptables iptables-configuration-iptables
+            (default iptables))
+  (rules iptables-configuration-rules))
+
+(define iptables-shepherd-service
+  (match-lambda
+    (($ <iptables-configuration> iptables rules)
+     (let ((iptables-restore (file-append iptables "/sbin/iptables-restore=
")))
+       (shepherd-service
+        (documentation "Packet filtering framework")
+        (provision '(iptables))
+        (start #~(lambda _ (invoke #$iptables-restore #$rules)))
+        (stop #~(lambda _ (invoke #$iptables-restore
+                                  #$(plain-file "iptables.rules"
+                                                "*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+")))))))))
+
+(define iptables-service-type
+  (service-type
+   (name 'iptables)
+   (description
+    "Run @command{iptables-restore}, setting up the specified rules.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list iptables-shepherd-service))))))
+
 ;;; networking.scm ends here
--=20
2.18.0


--=-=-=--