[bug#32465] Add iptables service

[Arun Isaac <arunisaac@systemreboot.net>]

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]


I have written a service to configure iptables rules. What tests should
I write for this service? I see the following two approaches to tests:

- Dump the iptables rules using iptables-save and verify that they
  matches the configured rules.
- Configure iptables to block certain ports and allow some other
  ports. Then, run a service on those ports and check if it is possible to
  reach them.

After we have iterated a few times, and converged on the final patch for
this service, I will also contribute a similar service for ip6tables.


[-- Attachment #2: 0001-gnu-services-Add-iptables-service.patch --]
[-- Type: text/x-patch, Size: 4087 bytes --]

From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001
From: Arun Isaac <arunisaac@systemreboot.net>
Date: Fri, 17 Aug 2018 16:39:07 +0530
Subject: [PATCH] gnu: services: Add iptables service.

* gnu/services/networking.scm (<iptables-configuration>): New record type.
(iptables-service-type): New variable.
* doc/guix.texi (Networking Services): Document it.
---
 doc/guix.texi               | 27 ++++++++++++++++++++++
 gnu/services/networking.scm | 45 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 0b72e5d8c..d5ff43811 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -11287,6 +11287,33 @@ Thus, it can be instantiated like this:
 @end lisp
 @end defvr
 
+@cindex iptables
+@defvr {Scheme Variabe} iptables-service-type
+This is the service type to set up an iptables coniguration. iptables is a
+packet filtering framework supported by the Linux kernel.  It can be
+instantiated as:
+
+@lisp
+(service iptables-service-type
+	 (iptables-configuration
+	  (rules (local-file "iptables.rules"))))
+@end lisp
+
+@deftp {Data Type} iptables-configuration
+The data type representing the configuration of @command{iptables}.
+
+@table @asis
+@item @code{iptables} (default: @code{iptables})
+The iptables package that provides @code{iptables-restore}.
+@item @code{rules}
+The iptables rules to use.  This is required.  It will be passed to
+@code{iptables-restore}.  This may be any ``file-like'' object
+(@pxref{G-Expressions, file-like objects}).
+@end table
+@end deftp
+
+@end defvr
+
 @cindex NTP
 @cindex real time clock
 @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index d5d0cf9d1..46e0ee3d0 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2017 Thomas Danckaert <post@thomasdanckaert.be>
 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr>
+;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -102,7 +103,13 @@
             wpa-supplicant-service-type
 
             openvswitch-service-type
-            openvswitch-configuration))
+            openvswitch-configuration
+
+            iptables-configuration
+            iptables-configuration?
+            iptables-configuration-iptables
+            iptables-configuration-rules
+            iptables-service-type))
 
 ;;; Commentary:
 ;;;
@@ -1086,4 +1093,40 @@ networking."))))
 switch designed to enable massive network automation through programmatic
 extension.")))
 
+;;;
+;;; iptables
+;;;
+
+(define-record-type* <iptables-configuration>
+  iptables-configuration make-iptables-configuration iptables-configuration?
+  (iptables iptables-configuration-iptables
+            (default iptables))
+  (rules iptables-configuration-rules))
+
+(define iptables-shepherd-service
+  (match-lambda
+    (($ <iptables-configuration> iptables rules)
+     (let ((iptables-restore (file-append iptables "/sbin/iptables-restore")))
+       (shepherd-service
+        (documentation "Packet filtering framework")
+        (provision '(iptables))
+        (start #~(lambda _ (invoke #$iptables-restore #$rules)))
+        (stop #~(lambda _ (invoke #$iptables-restore
+                                  #$(plain-file "iptables.rules"
+                                                "*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+")))))))))
+
+(define iptables-service-type
+  (service-type
+   (name 'iptables)
+   (description
+    "Run @command{iptables-restore}, setting up the specified rules.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list iptables-shepherd-service))))))
+
 ;;; networking.scm ends here
-- 
2.18.0