diff options
| author | Arun Isaac <arunisaac@systemreboot.net> | 2018-08-17 16:39:07 +0530 |
|---|---|---|
| committer | Arun Isaac <arunisaac@systemreboot.net> | 2018-09-20 13:09:55 +0530 |
| commit | 9926b8f8096a0198cc34585bf7424eba0c98aee2 (patch) | |
| tree | 030c3d31e6eb30560a08c50154dbfb43471c4352 /gnu/services | |
| parent | 3e63a83c0fa5621a272f0a43dc2dfcb46081804e (diff) | |
| download | gnu-guix-9926b8f8096a0198cc34585bf7424eba0c98aee2.tar gnu-guix-9926b8f8096a0198cc34585bf7424eba0c98aee2.tar.gz | |
gnu: services: Add iptables service.
* gnu/services/networking.scm (<iptables-configuration>): New record type.
(iptables-service-type): New variable.
* gnu/tests/networking.scm (run-iptables-test): New procedure.
(%test-iptables): New variable.
* doc/guix.texi (Networking Services): Document it.
Diffstat (limited to 'gnu/services')
| -rw-r--r-- | gnu/services/networking.scm | 56 |
1 files changed, 55 insertions, 1 deletions
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index b6b5ee3fec..bd1d5a2706 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -8,6 +8,7 @@ ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com> ;;; Copyright © 2018 Tobias Geerinckx-Rice <me@tobias.gr> ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com> +;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net> ;;; ;;; This file is part of GNU Guix. ;;; @@ -103,7 +104,14 @@ wpa-supplicant-service-type openvswitch-service-type - openvswitch-configuration)) + openvswitch-configuration + + iptables-configuration + iptables-configuration? + iptables-configuration-iptables + iptables-configuration-ipv4-rules + iptables-configuration-ipv6-rules + iptables-service-type)) ;;; Commentary: ;;; @@ -1108,4 +1116,50 @@ networking.")))) switch designed to enable massive network automation through programmatic extension."))) +;;; +;;; iptables +;;; + +(define %iptables-accept-all-rules + (plain-file "iptables-accept-all.rules" + "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +COMMIT +")) + +(define-record-type* <iptables-configuration> + iptables-configuration make-iptables-configuration iptables-configuration? + (iptables iptables-configuration-iptables + (default iptables)) + (ipv4-rules iptables-configuration-ipv4-rules + (default %iptables-accept-all-rules)) + (ipv6-rules iptables-configuration-ipv6-rules + (default %iptables-accept-all-rules))) + +(define iptables-shepherd-service + (match-lambda + (($ <iptables-configuration> iptables ipv4-rules ipv6-rules) + (let ((iptables-restore (file-append iptables "/sbin/iptables-restore")) + (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))) + (shepherd-service + (documentation "Packet filtering framework") + (provision '(iptables)) + (start #~(lambda _ + (invoke #$iptables-restore #$ipv4-rules) + (invoke #$ip6tables-restore #$ipv6-rules))) + (stop #~(lambda _ + (invoke #$iptables-restore #$%iptables-accept-all-rules) + (invoke #$ip6tables-restore #$%iptables-accept-all-rules)))))))) + +(define iptables-service-type + (service-type + (name 'iptables) + (description + "Run @command{iptables-restore}, setting up the specified rules.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list iptables-shepherd-service)))))) + ;;; networking.scm ends here |