[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#32465] Add iptables service
From: |
Ludovic Courtès |
Subject: |
[bug#32465] Add iptables service |
Date: |
Tue, 04 Sep 2018 15:14:59 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Hello Arun,
Sorry for the delay, everyone must have been on vacations for a while.
:-)
Arun Isaac <address@hidden> skribis:
> I have written a service to configure iptables rules. What tests should
> I write for this service? I see the following two approaches to tests:
>
> - Dump the iptables rules using iptables-save and verify that they
> matches the configured rules.
> - Configure iptables to block certain ports and allow some other
> ports. Then, run a service on those ports and check if it is possible to
> reach them.
Both approaches LGTM.
> After we have iterated a few times, and converged on the final patch for
> this service, I will also contribute a similar service for ip6tables.
Neat!
>>From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001
> From: Arun Isaac <address@hidden>
> Date: Fri, 17 Aug 2018 16:39:07 +0530
> Subject: [PATCH] gnu: services: Add iptables service.
>
> * gnu/services/networking.scm (<iptables-configuration>): New record type.
> (iptables-service-type): New variable.
> * doc/guix.texi (Networking Services): Document it.
[...]
> address@hidden {Scheme Variabe} iptables-service-type
> +This is the service type to set up an iptables coniguration. iptables is a
> +packet filtering framework supported by the Linux kernel. It can be
> +instantiated as:
> +
> address@hidden
> +(service iptables-service-type
> + (iptables-configuration
> + (rules (local-file "iptables.rules"))))
> address@hidden lisp
address@hidden defvr” should be here.
What about adding either an “iptables.rules” example, a link to
upstream’s documentation, or both?
> +(define iptables-shepherd-service
> + (match-lambda
> + (($ <iptables-configuration> iptables rules)
> + (let ((iptables-restore (file-append iptables
> "/sbin/iptables-restore")))
> + (shepherd-service
> + (documentation "Packet filtering framework")
> + (provision '(iptables))
> + (start #~(lambda _ (invoke #$iptables-restore #$rules)))
> + (stop #~(lambda _ (invoke #$iptables-restore
> + #$(plain-file "iptables.rules"
> + "*filter
> +:INPUT ACCEPT [0:0]
> +:FORWARD ACCEPT [0:0]
> +:OUTPUT ACCEPT [0:0]
> +COMMIT
> +")))))))))
I was thinking that ‘stop’ might undo more than we want, but OTOH, when
the service starts, there are no rules loaded anyway. So I guess this
is fine.
It would be great if you could get a system test as you suggest, but
anyhow it looks great to me.
Thanks,
Ludo’.
- [bug#32465] Add iptables service,
Ludovic Courtès <=
- [bug#32465] Add iptables service, Julien Lepiller, 2018/09/04
- [bug#32465] Add iptables service, Arun Isaac, 2018/09/05
- [bug#32465] Add iptables service, Arun Isaac, 2018/09/14
- [bug#32465] Add iptables service, Ludovic Courtès, 2018/09/17
- [bug#32465] Add iptables service, Arun Isaac, 2018/09/18
- [bug#32465] Add iptables service, Ludovic Courtès, 2018/09/18
- [bug#32465] Add iptables service, Arun Isaac, 2018/09/18
- [bug#32465] Add iptables service, Ludovic Courtès, 2018/09/19