From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id EO2QIbEbaGOmCAAAbAwnHQ (envelope-from ) for ; Sun, 06 Nov 2022 21:40:17 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 6J+dILEbaGPLOAEAG6o9tA (envelope-from ) for ; Sun, 06 Nov 2022 21:40:17 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id EF5E82DA55 for ; Sun, 6 Nov 2022 21:40:16 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ormR2-00036t-91; Sun, 06 Nov 2022 15:40:04 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ormR0-00035R-Ly for guix-patches@gnu.org; Sun, 06 Nov 2022 15:40:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ormR0-00034I-Dv for guix-patches@gnu.org; Sun, 06 Nov 2022 15:40:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ormR0-00011d-90 for guix-patches@gnu.org; Sun, 06 Nov 2022 15:40:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#48975] [PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables Resent-From: antlers Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 06 Nov 2022 20:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48975 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 48975@debbugs.gnu.org Received: via spool by 48975-submit@debbugs.gnu.org id=B48975.16677671873915 (code B ref 48975); Sun, 06 Nov 2022 20:40:02 +0000 Received: (at 48975) by debbugs.gnu.org; 6 Nov 2022 20:39:47 +0000 Received: from localhost ([127.0.0.1]:60748 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ormQk-000114-HL for submit@debbugs.gnu.org; Sun, 06 Nov 2022 15:39:47 -0500 Received: from mail-vk1-f175.google.com ([209.85.221.175]:45946) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ormQh-00010k-JA for 48975@debbugs.gnu.org; Sun, 06 Nov 2022 15:39:44 -0500 Received: by mail-vk1-f175.google.com with SMTP id g26so5436461vkm.12 for <48975@debbugs.gnu.org>; Sun, 06 Nov 2022 12:39:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=GkGz1fggiK6zTBgYnFrjD6uaHW5ow/YIGhrmdp5UVcY=; b=d8CSD3YDGnS1XY+1EeBcKXfjxDiMldqfsgWktcGxCfsXS/o5bkSrCVoO03r45NDZfz x1dP6uIb+mkF/hNtsI8DIqmQB5f9zkRHOc3P2kNLsJ47vlOMYHBzFrZAG0wCk5S48cX8 J2JCCv86d5Rf+ShF/icXe8iUWrsWDtfS4njBDATEMVF84LTnhXK5Mm2SiOWdmbZYoPwF 0hpUIiWeTBj5OqVc1OwJTzl7cZ+TDc0iUwyI1GkD5azZfmXgoGnNNn+ns/8sfqCIK83t WDTDTvVh+8gIHk3SkpQnVRGjDMWbByOMTXYKcb2ikMP2VlQZUMY6v9slcyHTBIGA+yj/ 7eMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=GkGz1fggiK6zTBgYnFrjD6uaHW5ow/YIGhrmdp5UVcY=; b=VGHe0mfFx5bffXiNrbD+6U18xLcqY2PMlKQnp6AECdLGve1zz5c6L5xK//2WQIKijz g2RhuAdosFcUaIARUDQA+AtOLcDQQKpT7/y6YsQF/vOHC8iyLoX4iskSEWzX4kbQmVNo TldVSvJNzmMJHhK97JxJ0onincvzkoiiu8/u40J+eH96Z8OvSScnG641wt2qyuRa+j3J 8ZQ0cRw+xJYt51lRjvdqJyC3wF752cSFmXEY2bjm210ahayLr2BcDezUaQAck3+KrBU/ 9G6sXZj2SwV+m9yPnJvzreXbYCTEs32lgPvyZvxsZTCAdt4YcZA5HxXNJBhhnDLI1x3c g9vQ== X-Gm-Message-State: ACrzQf1SkZOl1A6Y2poTEN+dwhnJPgjp1rCGNM0rRgp6+JVz7biTvgWn tAZ4MsiMXa1Ua3lcrMPUFRkhyaVIg6KdFU8Qcw00NJEB X-Google-Smtp-Source: AMsMyM7yREAZjJ7A34CYh/B8fOvYrBQRghcbjjrOxgVpbYhxqTPf0J/hMR9TK3L4awGFzVN7jUs4f2s47kniWaSMljE= X-Received: by 2002:a1f:3445:0:b0:3ab:c197:8f4f with SMTP id b66-20020a1f3445000000b003abc1978f4fmr23723746vka.13.1667767177520; Sun, 06 Nov 2022 12:39:37 -0800 (PST) MIME-Version: 1.0 References: <20221104072550.32038-1-autumnalantlers@gmail.com> In-Reply-To: <20221104072550.32038-1-autumnalantlers@gmail.com> From: antlers Date: Sun, 6 Nov 2022 12:39:26 -0800 Message-ID: Content-Type: multipart/alternative; boundary="0000000000002f2ad605ecd34e8e" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1667767217; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=GkGz1fggiK6zTBgYnFrjD6uaHW5ow/YIGhrmdp5UVcY=; b=XWlzOO9e2xEsU3RJcqQtCM1V0bXYZphstSDHSsZqagxlK1U2Di5WVHBPfGwJlSeXpJoO7J 61t10Ra5MZQrI3Dgi0bL2Cnz4tdGguKbNbCps0icIvcfu532dtiYxv8J0eAlA2yh8oS02/ sJPjeJrMaPeE/fBgOkguUoFVus1YBy2AfpP+7FynK6uLZ5wNsImjsSUTQJkSCo+oVQ1Q7q F2iFj6GO0KL20Uz7Lt1+feiCi3tZX15Y4eukICEjti69lW289UcNVIubRi1jTcMzJ0gscE 0GbhuhV90r+oucZ0zcgQhmzwRZtY5/eJcWe82Abj4WnTrh9uUYAUvaKHi2jZqQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1667767217; a=rsa-sha256; cv=none; b=ZH7HNzS1fwQlh+xDijF9x80ASBI3EJe3yt4oDHdXnw0PJ6uULfrzu+Yb+qZsW7Mf4PPSLC 8Cf/QKGBTiX0F8/JLeQIxWrfMxn0DItlBvpNq6U/1RMK0dMYqYxT3GOptqoHIrZqKAzoiw RrT/jYUbnA26e1YuG+67ITfUf7F1B5iH7ToR8oJ5yPIOyzv8P4UICw5LuW6wIJE6sOpWW+ RlLOwuXdtEH8OfnZv8cUv/IRnADQBhp0lzPbDxCKdGEzS+ZygTkQJDsYBMGe/ZXwx+iYBP BhZSdbkB0Gs1MaKkzVlTz4G+Tfp0OL3OjQKkYFeUfvUMGhqXsfnxFcyfU1ox1A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=d8CSD3YD; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 6.00 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=d8CSD3YD; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: EF5E82DA55 X-Spam-Score: 6.00 X-Migadu-Scanner: scn1.migadu.com X-TUID: G+nBzCkLVk0R --0000000000002f2ad605ecd34e8e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable After googling around a bit it looks like the `filter*` and `COMMIT` commands in iptables configurations do in fact form a transactional block that would allow us to accept additional plain-files via extensions and just concatenate them, it's that's a road we want to go down On Fri, Nov 4, 2022 at 12:26 AM antlers wrote: > From: antlers > > * gnu/services/networking.scm (simple-firewall-service): Add. > (iptables-service): Allow a crude sort of service extension. > > I tried out a keyword-based syntax: > ``` > (simple-firewall-configuration > (allow-forwarding? #t) > (allowed-ports '(#:both 51234 > #:tcp 80 443 > #:udp 4444)) > ``` > But kept the more verbose tcp and udp fields because I don't want > people to have to use quasiquotes to splice in evaluated port-numbers > after the keywords. > > I like the suggestion that there should be a field for redirecting > packets, whether to loopback or another box, as it took me a while to > learn about eg. masquerading last time I needed to set something like > that up. Not sure what command would be equivalent to the NAT > suggestion? > > I guess nftables has superseded iptables, but I'm not as familiar with > it? Perhaps I can add it as a second back-end in the future. My > primary concern right now is a pure Scheme interface for networking > configuration; most notably via service inheritance! Simple-firewall > now lets you open ports via extensions in other services; in order for > this option to be widely available, perhaps it's the > {nf,ip}tables-services that should be extensible? It's a tricky > problem atm because we don't really want services that need ports > depending on a specific backend, there are existing API's, they use > plain-file's over structs or strings, and rule orders need to be > really specific/coordinated. Idk, maybe that isn't something we really > want in the first place, but it sure feels good from a configuration / > organizational point-of-view. Happy to tweak this again if anyone has > ideas. > --- > gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++- > 1 file changed, 77 insertions(+), 2 deletions(-) > > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm > index 19aba8c266..0866c10b34 100644 > --- a/gnu/services/networking.scm > +++ b/gnu/services/networking.scm > @@ -18,6 +18,8 @@ > ;;; Copyright =C2=A9 2021 Christine Lemmer-Webber > ;;; Copyright =C2=A9 2021 Maxime Devos > ;;; Copyright =C2=A9 2021 Guillaume Le Vaillant > +;;; Copyright =C2=A9 2021 Solene Rapenne > +;;; Copyright =C2=A9 2022 antlers > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -225,7 +227,11 @@ (define-module (gnu services networking) > > keepalived-configuration > keepalived-configuration? > - keepalived-service-type)) > + keepalived-service-type > + > + simple-firewall-service-type > + simple-firewall-configuration > + simple-firewall-configuration?)) > > ;;; Commentary: > ;;; > @@ -1721,7 +1727,13 @@ (define iptables-service-type > "Run @command{iptables-restore}, setting up the specified rules.") > (extensions > (list (service-extension shepherd-root-service-type > - (compose list iptables-shepherd-service))))= )) > + (compose list iptables-shepherd-service)))) > + ;; Some services extend iptables, but such services are mutually > exclusive, > + ;; and should be either extended directly or superseded entirely > depending > + ;; the complexity of your desired configuration. > + (compose identity) > + (extend (lambda (config entries) > + (last entries))))) > > ;;; > ;;; nftables > @@ -2186,4 +2198,67 @@ (define keepalived-service-type > "Run @uref{https://www.keepalived.org/, Keepalived} > routing software."))) > > + > +;;; > +;;; Simple Firewall > +;;; > + > +(define-record-type* > + simple-firewall-configuration make-simple-firewall-configuration > + simple-firewall-configuration? > + (allow-icmp? simple-firewall-configuration-allow-icmp? > + (default #f)) > + (allow-forwarding? simple-firewall-configuration-allow-forwarding? > + (default #f)) > + > + (open-tcp-ports simple-firewall-configuration-open-tcp-ports > + (default '())) > + (open-udp-ports simple-firewall-configuration-open-udp-ports > + (default '()))) > + > +(define simple-firewall-configuration->iptables-rules > + (match-lambda > + (($ > + allow-icmp? allow-forwarding? > + open-tcp-ports open-udp-ports) > + (string-join > + `("*filter" > + ":INPUT DROP" > + ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT" > "DROP")) > + ":OUTPUT ACCEPT" > + "-A INPUT -i lo -j ACCEPT" > + "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" > + ,@(unless allow-icmp? '("-A INPUT -p icmp -j DROP" > + "-A INPUT -p icmpv6 -j DROP")) > + ,@(map (cut string-append "-A INPUT -p tcp --dport " <> " -j > ACCEPT") (map number->string open-tcp-ports)) > + ,@(map (cut string-append "-A INPUT -p udp --dport " <> " -j > ACCEPT") (map number->string open-udp-ports)) > + "-A INPUT -j REJECT --reject-with icmp-port-unreachable" > + "COMMIT") > + "\n" 'suffix)))) > + > +(define (simple-firewall-configuration->iptables-configuration config) > + (let ((rules (simple-firewall-configuration->iptables-rules config))) > + (iptables-configuration > + (ipv4-rules (plain-file "iptables.rules" rules)) > + (ipv6-rules (plain-file "ip6tables.rules" rules))))) > + > +(define simple-firewall-service-type > + (service-type > + (name 'simple-firewall) > + (description > + "Run @command{iptables-restore}, setting up the specified rules.") > + (extensions > + (list (service-extension iptables-service-type > + > simple-firewall-configuration->iptables-configuration))) > + (compose concatenate) > + (extend (lambda (config entries) > + (simple-firewall-configuration > + (inherit config) > + (open-tcp-ports > + (concatenate (map > simple-firewall-configuration-open-tcp-ports > + (cons config entries)))) > + (open-udp-ports > + (concatenate (map > simple-firewall-configuration-open-udp-ports > + (cons config entries))))))))) > + > ;;; networking.scm ends here > -- > 2.38.0 > > --0000000000002f2ad605ecd34e8e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
After googling around a bit it looks like the `filter*` an= d `COMMIT` commands in iptables configurations do in fact form a transactio= nal block that would allow us to accept additional plain-files via extensio= ns and just concatenate them, it's that's a road we want to go down=

On Fri, Nov 4, 2022 at 12:26 AM antlers <autumnalantlers@gmail.com> wrote:
From: antlers <antlers@luris.net>

=C2=A0* gnu/services/networking.scm (simple-firewall-service): Add.
=C2=A0 =C2=A0(iptables-service): Allow a crude sort of service extension.
I tried out a keyword-based syntax:
```
(simple-firewall-configuration
=C2=A0 (allow-forwarding? #t)
=C2=A0 (allowed-ports '(#:both 51234
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0#:tcp= =C2=A0 80 443
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0#:udp= =C2=A0 4444))
```
But kept the more verbose tcp and udp fields because I don't want
people to have to use quasiquotes to splice in evaluated port-numbers
after the keywords.

I like the suggestion that there should be a field for redirecting
packets, whether to loopback or another box, as it took me a while to
learn about eg. masquerading last time I needed to set something like
that up. Not sure what command would be equivalent to the NAT
suggestion?

I guess nftables has superseded iptables, but I'm not as familiar with<= br> it? Perhaps I can add it as a second back-end in the future. My
primary concern right now is a pure Scheme interface for networking
configuration; most notably via service inheritance! Simple-firewall
now lets you open ports via extensions in other services; in order for
this option to be widely available, perhaps it's the
{nf,ip}tables-services that should be extensible? It's a tricky
problem atm because we don't really want services that need ports
depending on a specific backend, there are existing API's, they use
plain-file's over structs or strings, and rule orders need to be
really specific/coordinated. Idk, maybe that isn't something we really<= br> want in the first place, but it sure feels good from a configuration /
organizational point-of-view. Happy to tweak this again if anyone has
ideas.
---
=C2=A0gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++= -
=C2=A01 file changed, 77 insertions(+), 2 deletions(-)

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 19aba8c266..0866c10b34 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -18,6 +18,8 @@
=C2=A0;;; Copyright =C2=A9 2021 Christine Lemmer-Webber <cwebber@dustycloud.org>=
=C2=A0;;; Copyright =C2=A9 2021 Maxime Devos <maximedevos@telenet.be>
=C2=A0;;; Copyright =C2=A9 2021 Guillaume Le Vaillant <glv@posteo.net>
+;;; Copyright =C2=A9 2021 Solene Rapenne
+;;; Copyright =C2=A9 2022 antlers <autumnalantlers@gmail.com>
=C2=A0;;;
=C2=A0;;; This file is part of GNU Guix.
=C2=A0;;;
@@ -225,7 +227,11 @@ (define-module (gnu services networking)

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0keepalived-configuration =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0keepalived-configuration? -=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 keepalived-service-type))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 keepalived-service-type
+
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 simple-firewall-service-type
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 simple-firewall-configuration +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 simple-firewall-configuration?))=

=C2=A0;;; Commentary:
=C2=A0;;;
@@ -1721,7 +1727,13 @@ (define iptables-service-type
=C2=A0 =C2=A0 =C2=A0"Run @command{iptables-restore}, setting up the sp= ecified rules.")
=C2=A0 =C2=A0 (extensions
=C2=A0 =C2=A0 =C2=A0(list (service-extension shepherd-root-service-type
-=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(compose list iptables-shepherd-service)))))= )
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(compose list iptables-shepherd-service))))<= br> +=C2=A0 =C2=A0;; Some services extend iptables, but such services are mutua= lly exclusive,
+=C2=A0 =C2=A0;; and should be either extended directly or superseded entir= ely depending
+=C2=A0 =C2=A0;; the complexity of your desired configuration.
+=C2=A0 =C2=A0(compose identity)
+=C2=A0 =C2=A0(extend (lambda (config entries)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(last entries)))))

=C2=A0;;;
=C2=A0;;; nftables
@@ -2186,4 +2198,67 @@ (define keepalived-service-type
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 "Run @u= ref{https://www.keepalived.org/, Keepalived}
=C2=A0routing software.")))

+=0C
+;;;
+;;; Simple Firewall
+;;;
+
+(define-record-type* <simple-firewall-configuration>
+=C2=A0 simple-firewall-configuration make-simple-firewall-configuration +=C2=A0 simple-firewall-configuration?
+=C2=A0 (allow-icmp? simple-firewall-configuration-allow-icmp?
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(default #f))
+=C2=A0 (allow-forwarding? simple-firewall-configuration-allow-forwarding?<= br> +=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0(default #f))
+
+=C2=A0 (open-tcp-ports simple-firewall-configuration-open-tcp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(default = 9;()))
+=C2=A0 (open-udp-ports simple-firewall-configuration-open-udp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(default = 9;())))
+
+(define simple-firewall-configuration->iptables-rules
+=C2=A0 (match-lambda
+=C2=A0 =C2=A0 (($ <simple-firewall-configuration>
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 allow-icmp? allow-forwarding?
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 open-tcp-ports open-udp-ports)
+=C2=A0 =C2=A0 =C2=A0(string-join
+=C2=A0 =C2=A0 =C2=A0 =C2=A0`("*filter"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0":INPUT DROP"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0,(string-append ":FORWARD " (i= f allow-forwarding? "ACCEPT" "DROP"))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0":OUTPUT ACCEPT"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"-A INPUT -i lo -j ACCEPT"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"-A INPUT -m conntrack --ctstate ES= TABLISHED,RELATED -j ACCEPT"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0,@(unless allow-icmp? '("-A INP= UT -p icmp=C2=A0 =C2=A0-j DROP"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"-A INPUT -p icmpv6 -j DR= OP"))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0,@(map (cut string-append "-A INPUT= -p tcp --dport " <>=C2=A0 " -j ACCEPT") (map number-&= gt;string open-tcp-ports))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0,@(map (cut string-append "-A INPUT= -p udp --dport " <>=C2=A0 " -j ACCEPT") (map number-&= gt;string open-udp-ports))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"-A INPUT -j REJECT --reject-with i= cmp-port-unreachable"
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0"COMMIT")
+=C2=A0 =C2=A0 =C2=A0 =C2=A0"\n" 'suffix))))
+
+(define (simple-firewall-configuration->iptables-configuration config)<= br> +=C2=A0 (let ((rules (simple-firewall-configuration->iptables-rules conf= ig)))
+=C2=A0 =C2=A0 (iptables-configuration
+=C2=A0 =C2=A0 =C2=A0 (ipv4-rules (plain-file "iptables.rules" ru= les))
+=C2=A0 =C2=A0 =C2=A0 (ipv6-rules (plain-file "ip6tables.rules" r= ules)))))
+
+(define simple-firewall-service-type
+=C2=A0 (service-type
+=C2=A0 =C2=A0(name 'simple-firewall)
+=C2=A0 =C2=A0(description
+=C2=A0 =C2=A0 "Run @command{iptables-restore}, setting up the specifi= ed rules.")
+=C2=A0 =C2=A0(extensions
+=C2=A0 =C2=A0 =C2=A0(list (service-extension iptables-service-type
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 simple-firewall-configuration->iptables-= configuration)))
+=C2=A0 =C2=A0(compose concatenate)
+=C2=A0 =C2=A0(extend (lambda (config entries)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0(simple-firewall-configura= tion
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (inherit config)
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (open-tcp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (concatenate (map = simple-firewall-configuration-open-tcp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (cons config entries))))
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (open-udp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (concatenate (map = simple-firewall-configuration-open-udp-ports
+=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 (cons config entries)))))))))=
+
=C2=A0;;; networking.scm ends here
--
2.38.0

--0000000000002f2ad605ecd34e8e--