New firewall service

Open

Details

4 participants

Arun Isaac
antlers
Jonathan Brielmaier
Solene Rapenne

Owner: unassigned

Submitted by: Solene Rapenne

Severity: normal

Solene Rapenne wrote on 12 Jun 2021 19:19

Recipients:(address . guix-patches@gnu.org)

Message-ID:20210612191959.6394494e@perso.pw

Hello,

I wrote a new firewall service, I already wrote an email to guix-devel

about it and I've been suggested to submit it here.

The idea is to propose an easy way to manage your firewall. On a

personal computer or a server with no fancy network, you certainly want

to block access from the outside to all the ports except a few ones.

The configuration looks like this, currently it only supports TCP and

UDP ports. Maybe NAT could be added later or other feature, I'm opened

to suggestions.

(service firewall-service-type

(firewall-configuration

(udp '(53))

(tcp '(22 70 1965))))

Here is the code, I took bits from iptables as a base and then used the

Tor service way to generate the configuration file.

Toggle diff (94 lines)diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 87b3d754a3..d311f95448 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -221,7 +221,11 @@
 
             keepalived-configuration
             keepalived-configuration?
-            keepalived-service-type))
+            keepalived-service-type
+
+            firewall-service-type
+            firewall-configuration
+            firewall-configuration?))
 
 ;;; Commentary:
 ;;;
@@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network.")))
                  "Run @uref{https://www.keepalived.org/, Keepalived}
 routing software.")))
 
+
+;;;
+;;; Firewall
+;;;
+
+(define-record-type* <firewall-configuration>
+  firewall-configuration make-firewall-configuration
+  firewall-configuration?
+  (tcp firewall-configuration-tcp
+       (default '()))
+  (udp firewall-configuration-udp
+       (default '())))
+
+(define (firewall-configuration->file tcp udp)
+  "Return the iptables rules from the ports list"
+  (computed-file
+   "firewall-generated-rules"
+   (with-imported-modules '((guix build utils))
+     #~(begin
+         (use-modules (guix build utils)
+                      (ice-9 match))
+         (call-with-output-file #$output
+           (lambda (out)
+             (display "\
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out)
+
+             ;; tcp rules
+             (when (not (null? (list #$@tcp)))
+               (format out "\
+~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}"
+                       (list #$@tcp)))
+
+             ;; udp rules
+             (when (not (null? (list #$@udp)))
+               (format out "\
+~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}"
+                       (list #$@udp)))
+
+             (display "COMMIT\n" out)
+             #t))))))
+
+(define firewall-shepherd-service
+  (match-lambda
+    (($ <firewall-configuration> tcp udp)
+     (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
+            (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))
+            (ruleset (firewall-configuration->file tcp udp)))
+       (shepherd-service
+        (documentation "Easy firewall management")
+        (provision '(firewall))
+        (start #~(lambda _
+                   (invoke #$iptables-restore  #$ruleset)
+                   (invoke #$ip6tables-restore #$ruleset)))
+        (stop #~(lambda _
+                  (invoke #$iptables-restore #$ruleset)
+                  (invoke #$ip6tables-restore #$ruleset))))))))
+
+(define firewall-service-type
+  (service-type
+   (name 'firewall)
+   (description
+    "Run @command{iptables-restore}, setting up the specified rules.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list firewall-shepherd-service))))))
+
+
 ;;; networking.scm ends here

Jonathan Brielmaier wrote on 12 Jun 2021 21:59

Recipients:

Message-ID:73ab1edf-5917-a01f-66b9-816c43899020@web.de

On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote:

Toggle quote (9 lines)

> Hello,

> I wrote a new firewall service, I already wrote an email to guix-devel

> about it and I've been suggested to submit it here.

> The idea is to propose an easy way to manage your firewall. On a

> personal computer or a server with no fancy network, you certainly want

> to block access from the outside to all the ports except a few ones.

Hi Solene,

that is a really good idea. So I could get rid of my growing lines of

plain iptables in my Guix config :)

Toggle quote (9 lines)

> The configuration looks like this, currently it only supports TCP and

> UDP ports. Maybe NAT could be added later or other feature, I'm opened

> to suggestions.

> (service firewall-service-type

> (firewall-configuration

> (udp '(53))

> (tcp '(22 70 1965))))

I think we could improve the syntax as to be honest I'm unsure if the

listed ports are the open or the closed ones.

Maybe we could call this service simple-firewall-service-type or

something along this.

Toggle quote (9 lines)

> Here is the code, I took bits from iptables as a base and then used the

> Tor service way to generate the configuration file.

> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm

> index 87b3d754a3..d311f95448 100644

> --- a/gnu/services/networking.scm

> +++ b/gnu/services/networking.scm

You should add a copyright line for yourself at the top of the file.

Toggle quote (63 lines)> @@ -221,7 +221,11 @@
>
>               keepalived-configuration
>               keepalived-configuration?
> -            keepalived-service-type))
> +            keepalived-service-type
> +
> +            firewall-service-type
> +            firewall-configuration
> +            firewall-configuration?))
>
>   ;;; Commentary:
>   ;;;
> @@ -2190,4 +2194,76 @@ of the IPFS peer-to-peer storage network.")))
>                    "Run @uref{https://www.keepalived.org/, Keepalived}
>   routing software.")))
>
> +
> +;;;
> +;;; Firewall
> +;;;
> +
> +(define-record-type* <firewall-configuration>
> +  firewall-configuration make-firewall-configuration
> +  firewall-configuration?
> +  (tcp firewall-configuration-tcp
> +       (default '()))
> +  (udp firewall-configuration-udp
> +       (default '())))
> +
> +(define (firewall-configuration->file tcp udp)
> +  "Return the iptables rules from the ports list"
> +  (computed-file
> +   "firewall-generated-rules"
> +   (with-imported-modules '((guix build utils))
> +     #~(begin
> +         (use-modules (guix build utils)
> +                      (ice-9 match))
> +         (call-with-output-file #$output
> +           (lambda (out)
> +             (display "\
> +*filter
> +:INPUT DROP
> +:FORWARD DROP
> +:OUTPUT ACCEPT
> +-A INPUT -i lo -j ACCEPT
> +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n" out)
> +
> +             ;; tcp rules
> +             (when (not (null? (list #$@tcp)))
> +               (format out "\
> +~{-A INPUT -p tcp --dport ~a -j ACCEPT~%~}"
> +                       (list #$@tcp)))
> +
> +             ;; udp rules
> +             (when (not (null? (list #$@udp)))
> +               (format out "\
> +~{-A INPUT -p udp --dport ~a -j ACCEPT~%~}"
> +                       (list #$@udp)))
> +
> +             (display "COMMIT\n" out)
> +             #t))))))

I'm not an iptables expert but does this config block/open IPv4 as well

as IPv6?

Toggle quote (30 lines)> +(define firewall-shepherd-service
> +  (match-lambda
> +    (($ <firewall-configuration> tcp udp)
> +     (let* ((iptables-restore (file-append iptables "/sbin/iptables-restore"))
> +            (ip6tables-restore (file-append iptables "/sbin/ip6tables-restore"))
> +            (ruleset (firewall-configuration->file tcp udp)))
> +       (shepherd-service
> +        (documentation "Easy firewall management")
> +        (provision '(firewall))
> +        (start #~(lambda _
> +                   (invoke #$iptables-restore  #$ruleset)
> +                   (invoke #$ip6tables-restore #$ruleset)))
> +        (stop #~(lambda _
> +                  (invoke #$iptables-restore #$ruleset)
> +                  (invoke #$ip6tables-restore #$ruleset))))))))
> +
> +(define firewall-service-type
> +  (service-type
> +   (name 'firewall)
> +   (description
> +    "Run @command{iptables-restore}, setting up the specified rules.")
> +   (extensions
> +    (list (service-extension shepherd-root-service-type
> +                             (compose list firewall-shepherd-service))))))
> +
> +
>   ;;; networking.scm ends here
>
>
>

Solene Rapenne wrote on 13 Jun 2021 00:13

Recipients:(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)(address . 48975@debbugs.gnu.org)

Message-ID:20210613001358.3cc67453@daru.lan

On Sat, 12 Jun 2021 21:59:53 +0200

Jonathan Brielmaier <jonathan.brielmaier@web.de>:

Toggle quote (30 lines)> On 12.06.21 19:19, Solene Rapenne via Guix-patches via wrote:
> > Hello,
> >
> > I wrote a new firewall service, I already wrote an email to guix-devel
> > about it and I've been suggested to submit it here.
> >
> > The idea is to propose an easy way to manage your firewall. On a
> > personal computer or a server with no fancy network, you certainly want
> > to block access from the outside to all the ports except a few ones.  
> 
> Hi Solene,
> 
> that is a really good idea. So I could get rid of my growing lines of
> plain iptables in my Guix config :)
> 
> > The configuration looks like this, currently it only supports TCP and
> > UDP ports. Maybe NAT could be added later or other feature, I'm opened
> > to suggestions.
> >
> > (service firewall-service-type
> >    (firewall-configuration
> >      (udp '(53))
> >      (tcp '(22 70 1965))))  
> 
> I think we could improve the syntax as to be honest I'm unsure if the
> listed ports are the open or the closed ones.
> 
> Maybe we could call this service simple-firewall-service-type or
> something along this.

hello, thanks a lot for your feedback.

I have no argument for a rename, as long as it's understandable.

As it's simple, I like simple-firewall.

Do you think this would be easier to understand by adding "open"

to the names?

(service simple-firewall-service-type

(simple-firewall-configuration

(open-udp '(53))

(open-tcp '(22 ...))))

I think we must decided if ICMP is allowed by default or not and

the syntax to enable/disable it. Maybe this? I would disable it by

default.

(allow-icmp? #t)

If you stop simple-firewall with the current code, it will block

every inbound ports, I'm not sure if it's the correct way to proceed, I suppose

it should flush absolutely everything.

To match most simple use case, a simple NAT and port redirection

could be done too.

;; do NAT on eth0 and set the according sysctl

(nat-on "eth0")

;; redirect incoming connections on ports 22 and 8080 to another box

(redirect '((22 "192.168.1.50:22")

(8080 "192.168.1.50:80"))

Toggle quote (12 lines)> >
> > Here is the code, I took bits from iptables as a base and then used the
> > Tor service way to generate the configuration file.
> >
> > diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> > index 87b3d754a3..d311f95448 100644
> > --- a/gnu/services/networking.scm
> > +++ b/gnu/services/networking.scm  
> 
> You should add a copyright line for yourself at the top of the file.
> 

I've been told it's not mandatory. I have no issue adding it though.

I found a ^L character at many paces in networking.scm, I don't

know if its appearance is legit or not. I think it's a garbage

character that got copy/pasted over and over. I copied it just in

case.

Toggle quote (6 lines)> >
> > +
> > +;;;
> > +;;; Firewall
> > +;;;
> > +

Arun Isaac wrote on 13 Jun 2021 11:29

Recipients:(name . Jonathan Brielmaier)(address . jonathan.brielmaier@web.de)

Message-ID:87czsqqfic.fsf@systemreboot.net

Hi Solene,

Thanks for the great work! I wrote the iptables service in the hope of

some day extending it to something like this, but you've beaten me to

it! :-) Some feedback follows.

Your implementation duplicates some of the code in the iptables

service. How about making it simply /extend/ the iptables service with

the generated rules? This way, you won't have to handle the start/stop

iptables-restore gexps. The iptables service, when stopped, already has

the correct behaviour of opening all ports.

WDYT?

Regards,

Arun

antlers wrote on 4 Nov 2022 08:25

[PATCH] gnu: simple-firewall-service: Add a simple service wrapping iptables

Recipients:(address . 48975@debbugs.gnu.org)(name . antlers)(address . antlers@luris.net)

Message-ID:20221104072550.32038-1-autumnalantlers@gmail.com

From: antlers <antlers@luris.net>

 * gnu/services/networking.scm (simple-firewall-service): Add.
   (iptables-service): Allow a crude sort of service extension.

I tried out a keyword-based syntax:
```
(simple-firewall-configuration
  (allow-forwarding? #t)
  (allowed-ports '(#:both 51234
                   #:tcp  80 443
                   #:udp  4444))
```
But kept the more verbose tcp and udp fields because I don't want
people to have to use quasiquotes to splice in evaluated port-numbers
after the keywords.

I like the suggestion that there should be a field for redirecting
packets, whether to loopback or another box, as it took me a while to
learn about eg. masquerading last time I needed to set something like
that up. Not sure what command would be equivalent to the NAT
suggestion?

I guess nftables has superseded iptables, but I'm not as familiar with
it? Perhaps I can add it as a second back-end in the future. My
primary concern right now is a pure Scheme interface for networking
configuration; most notably via service inheritance! Simple-firewall
now lets you open ports via extensions in other services; in order for
this option to be widely available, perhaps it's the
{nf,ip}tables-services that should be extensible? It's a tricky
problem atm because we don't really want services that need ports
depending on a specific backend, there are existing API's, they use
plain-file's over structs or strings, and rule orders need to be
really specific/coordinated. Idk, maybe that isn't something we really
want in the first place, but it sure feels good from a configuration /
organizational point-of-view. Happy to tweak this again if anyone has
ideas.
---
 gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 77 insertions(+), 2 deletions(-)

Toggle diff (111 lines)diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 19aba8c266..0866c10b34 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -18,6 +18,8 @@
 ;;; Copyright © 2021 Christine Lemmer-Webber <cwebber@dustycloud.org>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
 ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
+;;; Copyright © 2021 Solene Rapenne
+;;; Copyright © 2022 antlers <autumnalantlers@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -225,7 +227,11 @@ (define-module (gnu services networking)
 
             keepalived-configuration
             keepalived-configuration?
-            keepalived-service-type))
+            keepalived-service-type
+
+            simple-firewall-service-type
+            simple-firewall-configuration
+            simple-firewall-configuration?))
 
 ;;; Commentary:
 ;;;
@@ -1721,7 +1727,13 @@ (define iptables-service-type
     "Run @command{iptables-restore}, setting up the specified rules.")
    (extensions
     (list (service-extension shepherd-root-service-type
-                             (compose list iptables-shepherd-service))))))
+                             (compose list iptables-shepherd-service))))
+   ;; Some services extend iptables, but such services are mutually exclusive,
+   ;; and should be either extended directly or superseded entirely depending
+   ;; the complexity of your desired configuration.
+   (compose identity)
+   (extend (lambda (config entries)
+             (last entries)))))
 
 ;;;
 ;;; nftables
@@ -2186,4 +2198,67 @@ (define keepalived-service-type
                  "Run @uref{https://www.keepalived.org/, Keepalived}
 routing software.")))
 
+
+;;;
+;;; Simple Firewall
+;;;
+
+(define-record-type* <simple-firewall-configuration>
+  simple-firewall-configuration make-simple-firewall-configuration
+  simple-firewall-configuration?
+  (allow-icmp? simple-firewall-configuration-allow-icmp?
+               (default #f))
+  (allow-forwarding? simple-firewall-configuration-allow-forwarding?
+                     (default #f))
+
+  (open-tcp-ports simple-firewall-configuration-open-tcp-ports
+                 (default '()))
+  (open-udp-ports simple-firewall-configuration-open-udp-ports
+                 (default '())))
+
+(define simple-firewall-configuration->iptables-rules
+  (match-lambda
+    (($ <simple-firewall-configuration>
+        allow-icmp? allow-forwarding?
+        open-tcp-ports open-udp-ports)
+     (string-join
+       `("*filter"
+         ":INPUT DROP"
+         ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT" "DROP"))
+         ":OUTPUT ACCEPT"
+         "-A INPUT -i lo -j ACCEPT"
+         "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
+         ,@(unless allow-icmp? '("-A INPUT -p icmp   -j DROP"
+                                 "-A INPUT -p icmpv6 -j DROP"))
+         ,@(map (cut string-append "-A INPUT -p tcp --dport " <>  " -j ACCEPT") (map number->string open-tcp-ports))
+         ,@(map (cut string-append "-A INPUT -p udp --dport " <>  " -j ACCEPT") (map number->string open-udp-ports))
+         "-A INPUT -j REJECT --reject-with icmp-port-unreachable"
+         "COMMIT")
+       "\n" 'suffix))))
+
+(define (simple-firewall-configuration->iptables-configuration config)
+  (let ((rules (simple-firewall-configuration->iptables-rules config)))
+    (iptables-configuration
+      (ipv4-rules (plain-file "iptables.rules" rules))
+      (ipv6-rules (plain-file "ip6tables.rules" rules)))))
+
+(define simple-firewall-service-type
+  (service-type
+   (name 'simple-firewall)
+   (description
+    "Run @command{iptables-restore}, setting up the specified rules.")
+   (extensions
+     (list (service-extension iptables-service-type
+                              simple-firewall-configuration->iptables-configuration)))
+   (compose concatenate)
+   (extend (lambda (config entries)
+             (simple-firewall-configuration
+              (inherit config)
+              (open-tcp-ports
+                (concatenate (map simple-firewall-configuration-open-tcp-ports
+                                  (cons config entries))))
+              (open-udp-ports
+                (concatenate (map simple-firewall-configuration-open-udp-ports
+                                  (cons config entries)))))))))
+
 ;;; networking.scm ends here
-- 
2.38.0

antlers wrote on 6 Nov 2022 21:39

Recipients:(address . 48975@debbugs.gnu.org)

Message-ID:CAFxNT+eL9PWbVrdhj3RRH+3MDjU_oi5rkxSRr+SMKQf7OV5EWg@mail.gmail.com

After googling around a bit it looks like the `filter*` and `COMMIT`

commands in iptables configurations do in fact form a transactional block

that would allow us to accept additional plain-files via extensions and

just concatenate them, it's that's a road we want to go down

On Fri, Nov 4, 2022 at 12:26 AM antlers <autumnalantlers@gmail.com> wrote:

Toggle quote (162 lines)> From: antlers <antlers@luris.net>
>
>  * gnu/services/networking.scm (simple-firewall-service): Add.
>    (iptables-service): Allow a crude sort of service extension.
>
> I tried out a keyword-based syntax:
> ```
> (simple-firewall-configuration
>   (allow-forwarding? #t)
>   (allowed-ports '(#:both 51234
>                    #:tcp  80 443
>                    #:udp  4444))
> ```
> But kept the more verbose tcp and udp fields because I don't want
> people to have to use quasiquotes to splice in evaluated port-numbers
> after the keywords.
>
> I like the suggestion that there should be a field for redirecting
> packets, whether to loopback or another box, as it took me a while to
> learn about eg. masquerading last time I needed to set something like
> that up. Not sure what command would be equivalent to the NAT
> suggestion?
>
> I guess nftables has superseded iptables, but I'm not as familiar with
> it? Perhaps I can add it as a second back-end in the future. My
> primary concern right now is a pure Scheme interface for networking
> configuration; most notably via service inheritance! Simple-firewall
> now lets you open ports via extensions in other services; in order for
> this option to be widely available, perhaps it's the
> {nf,ip}tables-services that should be extensible? It's a tricky
> problem atm because we don't really want services that need ports
> depending on a specific backend, there are existing API's, they use
> plain-file's over structs or strings, and rule orders need to be
> really specific/coordinated. Idk, maybe that isn't something we really
> want in the first place, but it sure feels good from a configuration /
> organizational point-of-view. Happy to tweak this again if anyone has
> ideas.
> ---
>  gnu/services/networking.scm | 79 ++++++++++++++++++++++++++++++++++++-
>  1 file changed, 77 insertions(+), 2 deletions(-)
>
> diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
> index 19aba8c266..0866c10b34 100644
> --- a/gnu/services/networking.scm
> +++ b/gnu/services/networking.scm
> @@ -18,6 +18,8 @@
>  ;;; Copyright © 2021 Christine Lemmer-Webber <cwebber@dustycloud.org>
>  ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
>  ;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
> +;;; Copyright © 2021 Solene Rapenne
> +;;; Copyright © 2022 antlers <autumnalantlers@gmail.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -225,7 +227,11 @@ (define-module (gnu services networking)
>
>              keepalived-configuration
>              keepalived-configuration?
> -            keepalived-service-type))
> +            keepalived-service-type
> +
> +            simple-firewall-service-type
> +            simple-firewall-configuration
> +            simple-firewall-configuration?))
>
>  ;;; Commentary:
>  ;;;
> @@ -1721,7 +1727,13 @@ (define iptables-service-type
>      "Run @command{iptables-restore}, setting up the specified rules.")
>     (extensions
>      (list (service-extension shepherd-root-service-type
> -                             (compose list iptables-shepherd-service))))))
> +                             (compose list iptables-shepherd-service))))
> +   ;; Some services extend iptables, but such services are mutually
> exclusive,
> +   ;; and should be either extended directly or superseded entirely
> depending
> +   ;; the complexity of your desired configuration.
> +   (compose identity)
> +   (extend (lambda (config entries)
> +             (last entries)))))
>
>  ;;;
>  ;;; nftables
> @@ -2186,4 +2198,67 @@ (define keepalived-service-type
>                   "Run @uref{https://www.keepalived.org/, Keepalived}
>  routing software.")))
>
> +
> +;;;
> +;;; Simple Firewall
> +;;;
> +
> +(define-record-type* <simple-firewall-configuration>
> +  simple-firewall-configuration make-simple-firewall-configuration
> +  simple-firewall-configuration?
> +  (allow-icmp? simple-firewall-configuration-allow-icmp?
> +               (default #f))
> +  (allow-forwarding? simple-firewall-configuration-allow-forwarding?
> +                     (default #f))
> +
> +  (open-tcp-ports simple-firewall-configuration-open-tcp-ports
> +                 (default '()))
> +  (open-udp-ports simple-firewall-configuration-open-udp-ports
> +                 (default '())))
> +
> +(define simple-firewall-configuration->iptables-rules
> +  (match-lambda
> +    (($ <simple-firewall-configuration>
> +        allow-icmp? allow-forwarding?
> +        open-tcp-ports open-udp-ports)
> +     (string-join
> +       `("*filter"
> +         ":INPUT DROP"
> +         ,(string-append ":FORWARD " (if allow-forwarding? "ACCEPT"
> "DROP"))
> +         ":OUTPUT ACCEPT"
> +         "-A INPUT -i lo -j ACCEPT"
> +         "-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
> +         ,@(unless allow-icmp? '("-A INPUT -p icmp   -j DROP"
> +                                 "-A INPUT -p icmpv6 -j DROP"))
> +         ,@(map (cut string-append "-A INPUT -p tcp --dport " <>  " -j
> ACCEPT") (map number->string open-tcp-ports))
> +         ,@(map (cut string-append "-A INPUT -p udp --dport " <>  " -j
> ACCEPT") (map number->string open-udp-ports))
> +         "-A INPUT -j REJECT --reject-with icmp-port-unreachable"
> +         "COMMIT")
> +       "\n" 'suffix))))
> +
> +(define (simple-firewall-configuration->iptables-configuration config)
> +  (let ((rules (simple-firewall-configuration->iptables-rules config)))
> +    (iptables-configuration
> +      (ipv4-rules (plain-file "iptables.rules" rules))
> +      (ipv6-rules (plain-file "ip6tables.rules" rules)))))
> +
> +(define simple-firewall-service-type
> +  (service-type
> +   (name 'simple-firewall)
> +   (description
> +    "Run @command{iptables-restore}, setting up the specified rules.")
> +   (extensions
> +     (list (service-extension iptables-service-type
> +
> simple-firewall-configuration->iptables-configuration)))
> +   (compose concatenate)
> +   (extend (lambda (config entries)
> +             (simple-firewall-configuration
> +              (inherit config)
> +              (open-tcp-ports
> +                (concatenate (map
> simple-firewall-configuration-open-tcp-ports
> +                                  (cons config entries))))
> +              (open-udp-ports
> +                (concatenate (map
> simple-firewall-configuration-open-udp-ports
> +                                  (cons config entries)))))))))
> +
>  ;;; networking.scm ends here
> --
> 2.38.0
>
>

Attachment: file

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 48975@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 48975

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date