[PATCH 0/2] services: nftables: Make it extandable

Open

Details

One participant

Brice Waegeneire

Owner: unassigned

Submitted by: Brice Waegeneire

Severity: normal

Brice Waegeneire wrote on 12 Jul 2021 23:05

Recipients:(address . guix-patches@gnu.org)

Message-ID:20210712210543.16598-1-brice@waegenei.re

This patchset make "nftables-service-type" extendable, so other services could

open port. I wrote this to be able to use libvirt with nftables (another

patch is comming about that) like this:

Toggle snippet (13 lines)

(simple-service 'nftables-libvirt nftables-service-type

(list "# Libvirt?

add rule inet guix forward ct state established,related accept

add rule inet guix forward iifname \"virbr*\" accept

add chain inet guix libvirt

insert rule inet guix input iifname \"virbr*\" jump libvirt

insert rule inet guix libvirt udp dport 53 accept

insert rule inet guix libvirt tcp dport 53 accept

insert rule inet guix libvirt udp dport 67 accept

"))

So this should make it possible to implement Solene's

"simple-firewall-service"¹ by simply extending "nftables-service-type".

Also, now, stopping nftables only remove the "guix" table so other software

can use their own namespaces without being purged when that service is

stopped.

WDYT?

¹ https://issues.guix.gnu.org/48975

Brice Waegeneire (2): services: nftables: Only manage delete our

own table. services: nftables: Make it extendable.

gnu/services/networking.scm | 51 +++++++++++++++++++++++++++++--------

1 file changed, 41 insertions(+), 10 deletions(-)

2.31.1

Brice Waegeneire wrote on 12 Jul 2021 23:08

[PATCH 1/2] services: nftables: Only manage delete our own table.

Recipients:(address . guix-patches@gnu.org)

Message-ID:20210712210823.16987-1-brice@waegenei.re

* gnu/services/networking.scm (%default-nftables-ruleset): Rename table
  from "forward" to "guix".  Clear table before applying before setting
  it up.
(nftables-shepherd-service): Don't flush all the table, just delete our
  own.
---
 gnu/services/networking.scm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

Toggle diff (38 lines)diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 1ae58041d3..3058c14caf 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2019, 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2019 Sou Bunnbu <iyzsong@member.fsf.org>
 ;;; Copyright © 2019 Alex Griffin <a@ajgrf.com>
-;;; Copyright © 2020 Brice Waegeneire <brice@waegenei.re>
+;;; Copyright © 2020, 2021 Brice Waegeneire <brice@waegenei.re>
 ;;; Copyright © 2021 Oleg Pykhalov <go.wigust@gmail.com>
 ;;; Copyright © 2021 Christopher Lemmer Webber <cwebber@dustycloud.org>
 ;;; Copyright © 2021 Maxime Devos <maximedevos@telenet.be>
@@ -1717,7 +1717,12 @@ COMMIT
 (define %default-nftables-ruleset
   (plain-file "nftables.conf"
               "# A simple and safe firewall
-table inet filter {
+
+# Start with our table clean of previous state
+add table inet guix
+delete table inet guix
+
+table inet guix {
   chain input {
     type filter hook input priority 0; policy drop;
 
@@ -1768,7 +1773,7 @@ table inet filter {
         (start #~(lambda _
                    (invoke #$nft "--file" #$ruleset)))
         (stop #~(lambda _
-                  (invoke #$nft "flush" "ruleset"))))))))
+                  (invoke #$nft "delete" "table" "inet" "guix"))))))))
 
 (define nftables-service-type
   (service-type
-- 
2.31.1

Brice Waegeneire wrote on 12 Jul 2021 23:08

[PATCH 2/2] services: nftables: Make it extendable.

Recipients:(address . guix-patches@gnu.org)

Message-ID:20210712210823.16987-2-brice@waegenei.re

* gnu/services/networking.scm (%default-nftables-rules): New variable…
(define-record-type): …replace %default-nftables-ruleset with it.
(%default-nftables-ruleset): Deprecate it.
(nftables-ruleset): New procedure…
(nftables-shepherd-service): …use it.
(nftables-service-type): Make it extendable.
---
 gnu/services/networking.scm | 40 ++++++++++++++++++++++++++++++-------
 1 file changed, 33 insertions(+), 7 deletions(-)

Toggle diff (78 lines)diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 3058c14caf..53c06dcfed 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1714,9 +1714,8 @@ COMMIT
 ;;; nftables
 ;;;
 
-(define %default-nftables-ruleset
-  (plain-file "nftables.conf"
-              "# A simple and safe firewall
+(define %default-nftables-rules
+  "# A simple and safe firewall
 
 # Start with our table clean of previous state
 add table inet guix
@@ -1752,7 +1751,11 @@ table inet guix {
     type filter hook output priority 0; policy accept;
   }
 }
-"))
+")
+
+(define-deprecated %default-nftables-ruleset
+  %default-nftables-rules
+  (plain-file "nftables.conf" %default-nftables-rules))
 
 (define-record-type* <nftables-configuration>
   nftables-configuration
@@ -1760,13 +1763,28 @@ table inet guix {
   nftables-configuration?
   (package nftables-configuration-package
            (default nftables))
-  (ruleset nftables-configuration-ruleset ; file-like object
-           (default %default-nftables-ruleset)))
+  ; file-like object | list of strings and file-like objects
+  (ruleset nftables-configuration-ruleset
+           (default (list %default-nftables-rules))))
+
+(define (nftables-ruleset ruleset)
+  (if (file-like? ruleset)
+      ruleset
+      (apply mixed-text-file
+             `("nftables.conf"
+               ,@(fold-right
+                 (lambda (rule result)
+                   (if (file-like? rule)
+                       (append (list "include \"" rule "\"\n") result)
+                       (append (list rule "\n") result)))
+                 '()
+                 ruleset)))))
 
 (define nftables-shepherd-service
   (match-lambda
     (($ <nftables-configuration> package ruleset)
-     (let ((nft (file-append package "/sbin/nft")))
+     (let ((nft (file-append package "/sbin/nft"))
+           (ruleset (nftables-ruleset ruleset)))
        (shepherd-service
         (documentation "Packet filtering and classification")
         (provision '(nftables))
@@ -1785,6 +1803,14 @@ table inet guix {
                              (compose list nftables-shepherd-service))
           (service-extension profile-service-type
                              (compose list nftables-configuration-package))))
+   (compose concatenate)
+   (extend (lambda (config additional-rules)
+             (let ((ruleset (nftables-configuration-ruleset config)))
+               (nftables-configuration
+                (inherit config)
+                (ruleset (if (list? ruleset)
+                             (append ruleset additional-rules)
+                             (cons* ruleset additional-rules)))))))
    (default-value (nftables-configuration))))
 
 
-- 
2.31.1

Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 49540@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it

mumi current 49540

Then, you may apply the latest patchset in this issue (with sign off)

mumi am -- -s

Or, compose a reply to this issue

mumi compose

Or, send patches to this issue

mumi send-email *.patch

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date