From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 17 07:24:45 2018 Received: (at submit) by debbugs.gnu.org; 17 Aug 2018 11:24:45 +0000 Received: from localhost ([127.0.0.1]:53283 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fqcs1-0003q7-9i for submit@debbugs.gnu.org; Fri, 17 Aug 2018 07:24:45 -0400 Received: from eggs.gnu.org ([208.118.235.92]:58187) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fqcrz-0003ps-J3 for submit@debbugs.gnu.org; Fri, 17 Aug 2018 07:24:44 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fqcrt-0007q9-En for submit@debbugs.gnu.org; Fri, 17 Aug 2018 07:24:38 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:54907) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fqcrt-0007pw-An for submit@debbugs.gnu.org; Fri, 17 Aug 2018 07:24:37 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:50931) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fqcrs-0008KH-BD for guix-patches@gnu.org; Fri, 17 Aug 2018 07:24:37 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fqcrp-0007mv-6c for guix-patches@gnu.org; Fri, 17 Aug 2018 07:24:36 -0400 Received: from vultr.systemreboot.net ([45.77.148.100]:58906) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fqcro-0007ka-Ox for guix-patches@gnu.org; Fri, 17 Aug 2018 07:24:33 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nvz/ibtMG2FdlumkzAAar+DLYHevGE7zvGBH/0YsorQ=; b=Vwoqh3C5cUkwOGpGLUNY9jKQmK qTab+wej7TpCX40Y7a8f608ELoNQBD0OIJjMh1+UKOvJYvb3+FwK7808kp0bogXqdZl1u+kccL16a h0sGrT6ophHiy7VxrYlNxdmqGPW8BYmOP7BrmVszQoBz+GLaq/7zZs5TcLs8TXEpptks=; Received: from [192.168.2.1] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1fqcri-0005qK-6h for guix-patches@gnu.org; Fri, 17 Aug 2018 16:54:27 +0530 From: Arun Isaac To: guix-patches@gnu.org Subject: Add iptables service Date: Fri, 17 Aug 2018 16:54:19 +0530 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.1 (----) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.1 (-----) --=-=-= Content-Type: text/plain I have written a service to configure iptables rules. What tests should I write for this service? I see the following two approaches to tests: - Dump the iptables rules using iptables-save and verify that they matches the configured rules. - Configure iptables to block certain ports and allow some other ports. Then, run a service on those ports and check if it is possible to reach them. After we have iterated a few times, and converged on the final patch for this service, I will also contribute a similar service for ip6tables. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: inline; filename=0001-gnu-services-Add-iptables-service.patch Content-Transfer-Encoding: quoted-printable >From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001 From: Arun Isaac Date: Fri, 17 Aug 2018 16:39:07 +0530 Subject: [PATCH] gnu: services: Add iptables service. * gnu/services/networking.scm (): New record type. (iptables-service-type): New variable. * doc/guix.texi (Networking Services): Document it. --- doc/guix.texi | 27 ++++++++++++++++++++++ gnu/services/networking.scm | 45 ++++++++++++++++++++++++++++++++++++- 2 files changed, 71 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 0b72e5d8c..d5ff43811 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11287,6 +11287,33 @@ Thus, it can be instantiated like this: @end lisp @end defvr =20 +@cindex iptables +@defvr {Scheme Variabe} iptables-service-type +This is the service type to set up an iptables coniguration. iptables is a +packet filtering framework supported by the Linux kernel. It can be +instantiated as: + +@lisp +(service iptables-service-type + (iptables-configuration + (rules (local-file "iptables.rules")))) +@end lisp + +@deftp {Data Type} iptables-configuration +The data type representing the configuration of @command{iptables}. + +@table @asis +@item @code{iptables} (default: @code{iptables}) +The iptables package that provides @code{iptables-restore}. +@item @code{rules} +The iptables rules to use. This is required. It will be passed to +@code{iptables-restore}. This may be any ``file-like'' object +(@pxref{G-Expressions, file-like objects}). +@end table +@end deftp + +@end defvr + @cindex NTP @cindex real time clock @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @ diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index d5d0cf9d1..46e0ee3d0 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -7,6 +7,7 @@ ;;; Copyright =C2=A9 2017 Thomas Danckaert ;;; Copyright =C2=A9 2017 Marius Bakke ;;; Copyright =C2=A9 2018 Tobias Geerinckx-Rice +;;; Copyright =C2=A9 2018 Arun Isaac ;;; ;;; This file is part of GNU Guix. ;;; @@ -102,7 +103,13 @@ wpa-supplicant-service-type =20 openvswitch-service-type - openvswitch-configuration)) + openvswitch-configuration + + iptables-configuration + iptables-configuration? + iptables-configuration-iptables + iptables-configuration-rules + iptables-service-type)) =20 ;;; Commentary: ;;; @@ -1086,4 +1093,40 @@ networking.")))) switch designed to enable massive network automation through programmatic extension."))) =20 +;;; +;;; iptables +;;; + +(define-record-type* + iptables-configuration make-iptables-configuration iptables-configuratio= n? + (iptables iptables-configuration-iptables + (default iptables)) + (rules iptables-configuration-rules)) + +(define iptables-shepherd-service + (match-lambda + (($ iptables rules) + (let ((iptables-restore (file-append iptables "/sbin/iptables-restore= "))) + (shepherd-service + (documentation "Packet filtering framework") + (provision '(iptables)) + (start #~(lambda _ (invoke #$iptables-restore #$rules))) + (stop #~(lambda _ (invoke #$iptables-restore + #$(plain-file "iptables.rules" + "*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +"))))))))) + +(define iptables-service-type + (service-type + (name 'iptables) + (description + "Run @command{iptables-restore}, setting up the specified rules.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list iptables-shepherd-service)))))) + ;;; networking.scm ends here --=20 2.18.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 04 09:15:12 2018 Received: (at 32465) by debbugs.gnu.org; 4 Sep 2018 13:15:12 +0000 Received: from localhost ([127.0.0.1]:45159 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fxBAm-0004gd-8d for submit@debbugs.gnu.org; Tue, 04 Sep 2018 09:15:12 -0400 Received: from eggs.gnu.org ([208.118.235.92]:37109) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fxBAk-0004Zd-B8 for 32465@debbugs.gnu.org; Tue, 04 Sep 2018 09:15:10 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fxBAb-0000gK-Ph for 32465@debbugs.gnu.org; Tue, 04 Sep 2018 09:15:05 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:41436) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fxBAb-0000gC-Ls; Tue, 04 Sep 2018 09:15:01 -0400 Received: from [193.50.110.186] (port=49046 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fxBAb-00087p-Bc; Tue, 04 Sep 2018 09:15:01 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Arun Isaac Subject: Re: [bug#32465] Add iptables service References: Date: Tue, 04 Sep 2018 15:14:59 +0200 In-Reply-To: (Arun Isaac's message of "Fri, 17 Aug 2018 16:54:19 +0530") Message-ID: <87lg8hbe0c.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hello Arun, Sorry for the delay, everyone must have been on vacations for a while. :-) Arun Isaac skribis: > I have written a service to configure iptables rules. What tests should > I write for this service? I see the following two approaches to tests: > > - Dump the iptables rules using iptables-save and verify that they > matches the configured rules. > - Configure iptables to block certain ports and allow some other > ports. Then, run a service on those ports and check if it is possible to > reach them. Both approaches LGTM. > After we have iterated a few times, and converged on the final patch for > this service, I will also contribute a similar service for ip6tables. Neat! >>>From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001 > From: Arun Isaac > Date: Fri, 17 Aug 2018 16:39:07 +0530 > Subject: [PATCH] gnu: services: Add iptables service. > > * gnu/services/networking.scm (): New record type. > (iptables-service-type): New variable. > * doc/guix.texi (Networking Services): Document it. [...] > +@defvr {Scheme Variabe} iptables-service-type > +This is the service type to set up an iptables coniguration. iptables is= a > +packet filtering framework supported by the Linux kernel. It can be > +instantiated as: > + > +@lisp > +(service iptables-service-type > + (iptables-configuration > + (rules (local-file "iptables.rules")))) > +@end lisp =E2=80=9C@end defvr=E2=80=9D should be here. What about adding either an =E2=80=9Ciptables.rules=E2=80=9D example, a lin= k to upstream=E2=80=99s documentation, or both? > +(define iptables-shepherd-service > + (match-lambda > + (($ iptables rules) > + (let ((iptables-restore (file-append iptables "/sbin/iptables-resto= re"))) > + (shepherd-service > + (documentation "Packet filtering framework") > + (provision '(iptables)) > + (start #~(lambda _ (invoke #$iptables-restore #$rules))) > + (stop #~(lambda _ (invoke #$iptables-restore > + #$(plain-file "iptables.rules" > + "*filter > +:INPUT ACCEPT [0:0] > +:FORWARD ACCEPT [0:0] > +:OUTPUT ACCEPT [0:0] > +COMMIT > +"))))))))) I was thinking that =E2=80=98stop=E2=80=99 might undo more than we want, bu= t OTOH, when the service starts, there are no rules loaded anyway. So I guess this is fine. It would be great if you could get a system test as you suggest, but anyhow it looks great to me. Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 04 09:52:42 2018 Received: (at 32465) by debbugs.gnu.org; 4 Sep 2018 13:52:42 +0000 Received: from localhost ([127.0.0.1]:45195 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fxBl4-0007PY-0Q for submit@debbugs.gnu.org; Tue, 04 Sep 2018 09:52:42 -0400 Received: from lepiller.eu ([89.234.186.109]:55196) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fxBl2-0007PP-8h for 32465@debbugs.gnu.org; Tue, 04 Sep 2018 09:52:40 -0400 Received: from webmail.lepiller.eu (static-176-182-42-79.ncc.abo.bbox.fr [176.182.42.79]) by lepiller.eu (OpenSMTPD) with ESMTPSA id b59be6e6 (TLSv1.2:ECDHE-RSA-CHACHA20-POLY1305:256:NO) for <32465@debbugs.gnu.org>; Tue, 4 Sep 2018 13:53:32 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Tue, 04 Sep 2018 15:52:38 +0200 From: Julien Lepiller To: 32465@debbugs.gnu.org Subject: Re: [bug#32465] Add iptables service In-Reply-To: <87lg8hbe0c.fsf@gnu.org> References: <87lg8hbe0c.fsf@gnu.org> Message-ID: <0dd58c95062371f585a17899387bfdeb@lepiller.eu> X-Sender: julien@lepiller.eu User-Agent: Roundcube Webmail/1.3.6 X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32465 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, it's not directly an answer to arun's patch (it is great), but I recently came accross firemason (http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and https://github.com/BillHallahan/FireMason) and I thought we could implement something similar. Basically, we declare a list of rules in the iptables service, and we let other services extend that. A rule would be a specification, independent of the order in which they are specified. "Any packet that matches this rule must be rejected". Of course, this means that we may have conflicting specifications, for instance "any packet from this ip must be dropped" and "any packet entering on this port must be accepted" are in conflict for packets entering on this port from this ip address. All we need is a mechanism to explicit these cases (when a packet may be dropped or accepted at the same time), such as "repair: packets from this ip on this port must be dropped", so the service will effectively see these rules: "any packet from this ip must be dropped" and "any packet entering on this port but not this ip must be accepted", then translated to: -A INPUT -s ! -p tcp --dport -j ACCEPT -A INPUT -s ACCEPT (see how they are independent from the order in which they are declared?) The hard part is to detect a conflict between two rules and give hints to the user as to how to fix that. Of course, we should provide a mechanism to load files as a fallback, in which case additional rules from services should be ignored. What do you think? PS: Arun, in your patch for the manual you say: "This is the service type to set up an iptables coniguration". This should be "configuration". From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 05 05:40:51 2018 Received: (at 32465) by debbugs.gnu.org; 5 Sep 2018 09:40:51 +0000 Received: from localhost ([127.0.0.1]:46378 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fxUIs-0002eM-FV for submit@debbugs.gnu.org; Wed, 05 Sep 2018 05:40:50 -0400 Received: from vultr.systemreboot.net ([45.77.148.100]:47890) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fxUIp-0002eD-A1 for 32465@debbugs.gnu.org; Wed, 05 Sep 2018 05:40:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:To:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=2JB7v7mYfIxVPDddy082kts5Y0FPJ1EA8QJQ9edfMBM=; b=EKBPpyDrualkc+fPkkaW9PkSL deACXQknB2YS/yDX6nvPVjWqlQuQp9qo0UnoyR9LU4bFY6lNx90euUAyIyMplDRvCFRNbrTgpoBEV cEdWXof8P5CuYFFjAU0ipE12kDHt1qOr7HiXCbfirPfFx62APknniU9H/ZKndkNbeJVqM=; Received: from [14.139.128.15] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1fxUIZ-0001ls-RQ; Wed, 05 Sep 2018 15:10:33 +0530 From: Arun Isaac To: Julien Lepiller , 32465@debbugs.gnu.org Subject: Re: [bug#32465] Add iptables service In-Reply-To: <0dd58c95062371f585a17899387bfdeb@lepiller.eu> References: <87lg8hbe0c.fsf@gnu.org> <0dd58c95062371f585a17899387bfdeb@lepiller.eu> Date: Wed, 05 Sep 2018 15:10:24 +0530 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32465 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > it's not directly an answer to arun's patch (it is great), but I > recently came accross firemason > (http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and > https://github.com/BillHallahan/FireMason) and I thought we could > implement something similar. This sounds interesting. I'll read about it, and if I can, try to implement something similar for Guix. > Of course, we should provide a mechanism to load files as a fallback, in > which case additional rules from services should be ignored. Yes, I think this iptables service should exist independently as a fallback. So, I'll finish and push these services before studying firemason. > PS: Arun, in your patch for the manual you say: "This is the service > type to set up an iptables coniguration". This should be > "configuration". Sure, will fix this typo. From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 05 05:42:37 2018 Received: (at 32465) by debbugs.gnu.org; 5 Sep 2018 09:42:37 +0000 Received: from localhost ([127.0.0.1]:46382 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fxUKb-0002he-9t for submit@debbugs.gnu.org; Wed, 05 Sep 2018 05:42:37 -0400 Received: from vultr.systemreboot.net ([45.77.148.100]:47900) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fxUKY-0002hV-Ki for 32465@debbugs.gnu.org; Wed, 05 Sep 2018 05:42:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=VcGKOKMyeZa7mxyD5MQtkI4RcMSufzWXRfljJRy0N50=; b=cOmGCujryorWDlxZSwGYqQSad zRLGeYfsrYWjl1fKUuHENOvtFPkQ3SVsJVidtz5uG1DZoXA39SMXYJhvvw8r29lTJuqs7mhpMN56g n8by0CYpSgWrPKsA6nsHKlmNyS6Xqxsj7L9ATO6is1xZ9JMecl2ot2MisVPKY/9vodaFo=; Received: from [14.139.128.15] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1fxUKU-0001mm-JV; Wed, 05 Sep 2018 15:12:31 +0530 From: Arun Isaac To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#32465] Add iptables service In-Reply-To: <87lg8hbe0c.fsf@gnu.org> References: <87lg8hbe0c.fsf@gnu.org> Date: Wed, 05 Sep 2018 15:12:22 +0530 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > It would be great if you could get a system test as you suggest, but > anyhow it looks great to me. I'll make the corrections you suggested, write the system test, and send an updated patch. From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 10 08:52:15 2018 Received: (at 32465) by debbugs.gnu.org; 10 Sep 2018 12:52:15 +0000 Received: from localhost ([127.0.0.1]:51853 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fzLfq-0008G2-NS for submit@debbugs.gnu.org; Mon, 10 Sep 2018 08:52:14 -0400 Received: from eggs.gnu.org ([208.118.235.92]:42004) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fzLfn-0008Ff-Ur for 32465@debbugs.gnu.org; Mon, 10 Sep 2018 08:52:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fzLff-0001V4-IY for 32465@debbugs.gnu.org; Mon, 10 Sep 2018 08:52:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:38065) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fzLfd-0001UK-S9; Mon, 10 Sep 2018 08:52:01 -0400 Received: from [193.50.110.124] (port=42618 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1fzLfc-0007mt-61; Mon, 10 Sep 2018 08:52:01 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Arun Isaac Subject: Re: [bug#32465] Add iptables service References: <87lg8hbe0c.fsf@gnu.org> <0dd58c95062371f585a17899387bfdeb@lepiller.eu> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: 24 Fructidor an 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 10 Sep 2018 14:51:58 +0200 In-Reply-To: (Arun Isaac's message of "Wed, 05 Sep 2018 15:10:24 +0530") Message-ID: <87y3c9frbl.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org, Julien Lepiller X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hello, Arun Isaac skribis: >> it's not directly an answer to arun's patch (it is great), but I=20 >> recently came accross firemason=20 >> (http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and=20 >> https://github.com/BillHallahan/FireMason) and I thought we could=20 >> implement something similar. > > This sounds interesting. I'll read about it, and if I can, try to > implement something similar for Guix. Agreed, it looks nice. >> Of course, we should provide a mechanism to load files as a fallback, in= =20 >> which case additional rules from services should be ignored. > > Yes, I think this iptables service should exist independently as a > fallback. So, I'll finish and push these services before studying > firemason. The nice thing is that we could detect conflicting iptables rules statically if we wanted to: =E2=80=98guix system reconfigure=E2=80=99 would= proceed if and only if there are no conflicting rules. I don=E2=80=99t know how diffi= cult and how annoying that could be, but it might be worth considering (as future work=E2=80=A6). Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 11 02:53:33 2018 Received: (at 32465) by debbugs.gnu.org; 11 Sep 2018 06:53:33 +0000 Received: from localhost ([127.0.0.1]:36063 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fzcYH-0001ui-DY for submit@debbugs.gnu.org; Tue, 11 Sep 2018 02:53:33 -0400 Received: from m4s11.vlinux.de ([83.151.27.109]:59882 helo=bjoernhoefling.de) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fzcYG-0001ua-4E for 32465@debbugs.gnu.org; Tue, 11 Sep 2018 02:53:32 -0400 Received: from alma-ubu (p57B529DB.dip0.t-ipconnect.de [87.181.41.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bjoernhoefling.de (Postfix) with ESMTPSA id 3FDE9404CF; Tue, 11 Sep 2018 08:53:31 +0200 (CEST) Date: Tue, 11 Sep 2018 08:53:29 +0200 From: =?UTF-8?B?QmrDtnJuIEjDtmZsaW5n?= To: Arun Isaac Subject: Re: [bug#32465] Add iptables service Message-ID: <20180911085329.2c625c63@alma-ubu> In-Reply-To: References: X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.30; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/1MuC1Cnsys=pTlKDuTQHBb4"; protocol="application/pgp-signature" X-Spam-Score: 0.1 (/) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org, Rutger Helling X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.9 (/) --Sig_/1MuC1Cnsys=pTlKDuTQHBb4 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Fri, 17 Aug 2018 16:54:19 +0530 Arun Isaac wrote: > After we have iterated a few times, and converged on the final patch > for this service, I will also contribute a similar service for > ip6tables. Hi Arun, thanks for the patch. I have one little comment: During holidays I read an article about nftables: https://netfilter.org/projects/nftables/ https://wiki.archlinux.org/index.php/nftables It aims to be the successor for iptables and is ipv4, ipv6 and others in one tool/ruleset. I have no knowledge about the firewall tools, I have no idea of how mature or accepted that is, I just thought it might be worth considering instead of writing 3 services. We already have the userspace package 'nftables' and 'libnftnl' thanks to Rutger Helling. Maybe he knows more? I put him on CC. Bj=C3=B6rn --Sig_/1MuC1Cnsys=pTlKDuTQHBb4 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAluXZmoACgkQvyhstlk+X/2BLQCdH6BunswADpSGEEsQXw0GENYN ujoAnjlzrrra3ZqfCGhyfUPw2RrFQrbv =HVOq -----END PGP SIGNATURE----- --Sig_/1MuC1Cnsys=pTlKDuTQHBb4-- From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 11 04:43:50 2018 Received: (at 32465) by debbugs.gnu.org; 11 Sep 2018 08:43:50 +0000 Received: from localhost ([127.0.0.1]:36135 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fzeGz-0006mq-SX for submit@debbugs.gnu.org; Tue, 11 Sep 2018 04:43:50 -0400 Received: from vultr.systemreboot.net ([45.77.148.100]:57770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1fzeGy-0006mi-3L for 32465@debbugs.gnu.org; Tue, 11 Sep 2018 04:43:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=JnwkBI2tF6F3Sa8b6o97m8WfyA5VSJgWMidKF61l1wM=; b=grtRnQs/8TRRYBHIDOn4uVsFX WydX8PNT0qMKrSvnrB0MY+R4eKVa8ogqqN0bJOSyNUlusr9fPmWq5f+neTJnXOIv8MpWSlHrR0AY3 bAJqpBHaEfT43Q/AG9GUjUyoICNeuP5xoncOt4CryV+GxDDD8N4LZpr+dI9+Q4wu9RA/8=; Received: from [103.5.134.173] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1fzeGN-0000P2-7j; Tue, 11 Sep 2018 14:13:12 +0530 From: Arun Isaac To: =?utf-8?Q?Bj=C3=B6rn_H=C3=B6fling?= Subject: Re: [bug#32465] Add iptables service In-Reply-To: <20180911085329.2c625c63@alma-ubu> References: <20180911085329.2c625c63@alma-ubu> Date: Tue, 11 Sep 2018 14:13:03 +0530 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: > I have no knowledge about the firewall tools, I have no idea of how > mature or accepted that is, I just thought it might be worth > considering instead of writing 3 services. I have heard of nftables, but I haven't yet learnt how to use it. So, for now, I'll just do 2 services (one for iptables, and another for ip6tables). I think someone else who understands nftables should write the nftables service. [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server [103.5.134.173 listed in dnsbl.sorbs.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org, Rutger Helling X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) > I have no knowledge about the firewall tools, I have no idea of how > mature or accepted that is, I just thought it might be worth > considering instead of writing 3 services. I have heard of nftables, but I haven't yet learnt how to use it. So, for now, I'll just do 2 services (one for iptables, and another for ip6tables). I think someone else who understands nftables should write the nftables service. From debbugs-submit-bounces@debbugs.gnu.org Fri Sep 14 06:59:25 2018 Received: (at 32465) by debbugs.gnu.org; 14 Sep 2018 10:59:25 +0000 Received: from localhost ([127.0.0.1]:40082 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g0lor-0003uj-8U for submit@debbugs.gnu.org; Fri, 14 Sep 2018 06:59:25 -0400 Received: from vultr.systemreboot.net ([45.77.148.100]:32970) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g0loo-0003ua-Dk for 32465@debbugs.gnu.org; Fri, 14 Sep 2018 06:59:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=BOCoHModdb/I38vHHMhn1nPiaQYrCuH0e9TdxBV0g9o=; b=TQZlaiWNjnSmNPOGfy7+3KfjH 3vwzqIOjZ3rtPJxfi5TGvgDGJTdMkKMWJu/5qYhJbgMypDnuHuivQ9N6SV+SqepQZhwBCcG8eL50s L74rTXO1UZ2hNzzPMkYj3Vq0CZidN4SxUzXZz1zUBaSzL4bYdxBx8fKRxTNTLTB36rYuU=; Received: from [14.139.128.15] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1g0loj-0005Io-VW; Fri, 14 Sep 2018 16:29:19 +0530 From: Arun Isaac To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#32465] Add iptables service In-Reply-To: References: <87lg8hbe0c.fsf@gnu.org> Date: Fri, 14 Sep 2018 16:29:09 +0530 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Hi, I generalized this service to work for both iptables and ip6tables. I added system tests, and made the other corrections that were suggested. Some questions follow. - Is the example I added for the iptables.rules sufficient? I couldn't find upstream documentation for the iptables.rules format. I suspect it doesn't exist. Do you know of any upstream documentation that can be referred to here? - In the attached patch, the fourth test ("inetd echo service is accessible after iptables firewall is stopped") doesn't work. In that service, I am trying to stop the iptables service, but I'm not able to. How do I programmatically stop the iptables service? Is what I have done correct? Any other feedback is also welcome. Thank you. --=-=-= Content-Type: text/x-patch; charset=utf-8 Content-Disposition: attachment; filename=0001-gnu-services-Add-iptables-service.patch Content-Transfer-Encoding: quoted-printable >From dcfdd0bd981aa9da4835f322173490e239048e65 Mon Sep 17 00:00:00 2001 From: Arun Isaac Date: Fri, 17 Aug 2018 16:39:07 +0530 Subject: [PATCH] gnu: services: Add iptables service. * gnu/services/networking.scm (): New record type. (iptables-service-type): New variable. * gnu/tests/networking.scm (run-iptables-test): New procedure. (%test-iptables): New variable. * doc/guix.texi (Networking Services): Document it. --- doc/guix.texi | 48 ++++++++++++++ gnu/services/networking.scm | 56 ++++++++++++++++- gnu/tests/networking.scm | 122 +++++++++++++++++++++++++++++++++++- 3 files changed, 224 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index cccf166d0..7dd7f8fc9 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11575,6 +11575,54 @@ Thus, it can be instantiated like this: @end lisp @end defvr =20 +@cindex iptables +@defvr {Scheme Variable} iptables-service-type +This is the service type to set up an iptables configuration. iptables is a +packet filtering framework supported by the Linux kernel. This service +supports configuring iptables for both IPv4 and IPv6. A simple example +configuration rejecting all incoming connections except those to the ssh p= ort +22 is shown below. + +@lisp +(service iptables-service-type + (iptables-configuration + (ipv4-rules (plain-file "iptables.rules" "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-port-unreachable +COMMIT +")) + (ipv6-rules (plain-file "ip6tables.rules" "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-port-unreachable +COMMIT +")))) +@end lisp +@end defvr + +@deftp {Data Type} iptables-configuration +The data type representing the configuration of iptables. + +@table @asis +@item @code{iptables} (default: @code{iptables}) +The iptables package that provides @code{iptables-restore} and +@code{ip6tables-restore}. +@item @code{ipv4-rules} (default: @code{%iptables-accept-all-rules}) +The iptables rules to use. It will be passed to @code{iptables-restore}. +This may be any ``file-like'' object (@pxref{G-Expressions, file-like +objects}). +@item @code{ipv6-rules} (default: @code{%iptables-accept-all-rules}) +The ip6tables rules to use. It will be passed to @code{ip6tables-restore}. +This may be any ``file-like'' object (@pxref{G-Expressions, file-like +objects}). +@end table +@end deftp + @cindex NTP @cindex real time clock @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @ diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index b6b5ee3fe..bd1d5a270 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -8,6 +8,7 @@ ;;; Copyright =C2=A9 2017 Marius Bakke ;;; Copyright =C2=A9 2018 Tobias Geerinckx-Rice ;;; Copyright =C2=A9 2018 Chris Marusich +;;; Copyright =C2=A9 2018 Arun Isaac ;;; ;;; This file is part of GNU Guix. ;;; @@ -103,7 +104,14 @@ wpa-supplicant-service-type =20 openvswitch-service-type - openvswitch-configuration)) + openvswitch-configuration + + iptables-configuration + iptables-configuration? + iptables-configuration-iptables + iptables-configuration-ipv4-rules + iptables-configuration-ipv6-rules + iptables-service-type)) =20 ;;; Commentary: ;;; @@ -1108,4 +1116,50 @@ networking.")))) switch designed to enable massive network automation through programmatic extension."))) =20 +;;; +;;; iptables +;;; + +(define %iptables-accept-all-rules + (plain-file "iptables-accept-all.rules" + "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +COMMIT +")) + +(define-record-type* + iptables-configuration make-iptables-configuration iptables-configuratio= n? + (iptables iptables-configuration-iptables + (default iptables)) + (ipv4-rules iptables-configuration-ipv4-rules + (default %iptables-accept-all-rules)) + (ipv6-rules iptables-configuration-ipv6-rules + (default %iptables-accept-all-rules))) + +(define iptables-shepherd-service + (match-lambda + (($ iptables ipv4-rules ipv6-rules) + (let ((iptables-restore (file-append iptables "/sbin/iptables-restore= ")) + (ip6tables-restore (file-append iptables "/sbin/ip6tables-resto= re"))) + (shepherd-service + (documentation "Packet filtering framework") + (provision '(iptables)) + (start #~(lambda _ + (invoke #$iptables-restore #$ipv4-rules) + (invoke #$ip6tables-restore #$ipv6-rules))) + (stop #~(lambda _ + (invoke #$iptables-restore #$%iptables-accept-all-rules) + (invoke #$ip6tables-restore #$%iptables-accept-all-rules= )))))))) + +(define iptables-service-type + (service-type + (name 'iptables) + (description + "Run @command{iptables-restore}, setting up the specified rules.") + (extensions + (list (service-extension shepherd-root-service-type + (compose list iptables-shepherd-service)))))) + ;;; networking.scm ends here diff --git a/gnu/tests/networking.scm b/gnu/tests/networking.scm index 381c5caf1..58fe61a49 100644 --- a/gnu/tests/networking.scm +++ b/gnu/tests/networking.scm @@ -2,6 +2,7 @@ ;;; Copyright =C2=A9 2017 Thomas Danckaert ;;; Copyright =C2=A9 2017 Marius Bakke ;;; Copyright =C2=A9 2018 Chris Marusich +;;; Copyright =C2=A9 2018 Arun Isaac ;;; ;;; This file is part of GNU Guix. ;;; @@ -29,9 +30,11 @@ #:use-module (guix store) #:use-module (guix monads) #:use-module (gnu packages bash) + #:use-module (gnu packages linux) #:use-module (gnu packages networking) #:use-module (gnu services shepherd) - #:export (%test-inetd %test-openvswitch %test-dhcpd %test-tor)) + #:use-module (ice-9 match) + #:export (%test-inetd %test-openvswitch %test-dhcpd %test-tor %test-ipta= bles)) =20 (define %inetd-os ;; Operating system with 2 inetd services. @@ -434,3 +437,120 @@ subnet 192.168.1.0 netmask 255.255.255.0 { (name "tor") (description "Test a running Tor daemon configuration.") (value (run-tor-test)))) + +(define* (run-iptables-test) + "Run tests of 'iptables-service-type'." + (define iptables-rules + "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -p tcp -m tcp --dport 7 -j REJECT --reject-with icmp-port-unreach= able +COMMIT +") + + (define ip6tables-rules + "*filter +:INPUT ACCEPT +:FORWARD ACCEPT +:OUTPUT ACCEPT +-A INPUT -p tcp -m tcp --dport 7 -j REJECT --reject-with icmp6-port-unreac= hable +COMMIT +") + + (define inetd-echo-port 7) + + (define os + (marionette-operating-system + (simple-operating-system + (dhcp-client-service) + (service inetd-service-type + (inetd-configuration + (entries (list + (inetd-entry + (name "echo") + (socket-type 'stream) + (protocol "tcp") + (wait? #f) + (user "root")))))) + (service iptables-service-type + (iptables-configuration + (ipv4-rules (plain-file "iptables.rules" iptables-rules)) + (ipv6-rules (plain-file "ip6tables.rules" ip6tables-rules)= )))) + #:imported-modules '((gnu services herd)) + #:requirements '(inetd iptables))) + + (define test + (with-imported-modules '((gnu build marionette)) + #~(begin + (use-modules (srfi srfi-64) + (gnu build marionette)) + (define marionette + (make-marionette (list #$(virtual-machine os)))) + + (define (dump-iptables iptables-save marionette) + (marionette-eval + `(begin + (use-modules (ice-9 popen) + (ice-9 rdelim) + (ice-9 regex)) + (call-with-output-string + (lambda (out) + (call-with-port + (open-pipe* OPEN_READ ,iptables-save) + (lambda (in) + (let loop ((line (read-line in))) + ;; iptables-save does not output rules in the exa= ct + ;; same format we loaded using iptables-restore. = It + ;; adds comments, packet counters, etc. We remove + ;; these additions. + (unless (eof-object? line) + (cond + ;; Remove comments + ((string-match "^#" line) #t) + ;; Remove packet counters + ((string-match "^:([A-Z]*) ([A-Z]*) .*" line) + =3D> (lambda (match-record) + (format out ":~a ~a~%" + (match:substring match-record 1) + (match:substring match-record 2)= ))) + ;; Pass other lines without modification + (else (display line out) + (newline out))) + (loop (read-line in))))))))) + marionette)) + + (mkdir #$output) + (chdir #$output) + + (test-begin "iptables") + + (test-equal "iptables-save dumps the same rules that were loaded" + (dump-iptables #$(file-append iptables "/sbin/iptables-save") + marionette) + #$iptables-rules) + + (test-equal "ip6tables-save dumps the same rules that were loade= d" + (dump-iptables #$(file-append iptables "/sbin/ip6tables-save") + marionette) + #$ip6tables-rules) + + (test-error "iptables firewall blocks access to inetd echo servi= ce" + 'misc-error + (wait-for-tcp-port inetd-echo-port marionette #:time= out 5)) + + (test-assert "inetd echo service is accessible after iptables fi= rewall is stopped" + (begin + (marionette-eval '(stop-service 'iptables) marionette) + (wait-for-tcp-port inetd-echo-port marionette #:timeout 5))) + + (test-end) + (exit (=3D (test-runner-fail-count (test-runner-current)) 0))))) + + (gexp->derivation "iptables" test)) + +(define %test-iptables + (system-test + (name "iptables") + (description "Test a running iptables daemon.") + (value (run-iptables-test)))) --=20 2.18.0 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Sat Sep 15 08:27:24 2018 Received: (at 32465) by debbugs.gnu.org; 15 Sep 2018 12:27:24 +0000 Received: from localhost ([127.0.0.1]:41167 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g19fY-0007RH-0s for submit@debbugs.gnu.org; Sat, 15 Sep 2018 08:27:24 -0400 Received: from mx.kolabnow.com ([95.128.36.41]:1074) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g19fW-0007R4-OV for 32465@debbugs.gnu.org; Sat, 15 Sep 2018 08:27:23 -0400 Received: from localhost (unknown [127.0.0.1]) by ext-mx-out003.mykolab.com (Postfix) with ESMTP id 609E84087C; Sat, 15 Sep 2018 14:27:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mykolab.com; h= content-type:content-type:mime-version:references:in-reply-to :message-id:subject:subject:from:from:date:date:received :received:received; s=dkim20160331; t=1537014435; x=1538828836; bh=4jkZ3wNK0EPw+Rhb61C+4Tz/Tu4nQ+/uQjSNNvqKJYk=; b=lc7wsUP/RNdk mn0JQy3Ij8HWuYyrrhco779tRNjgPYwc17KSDKjUM1KfO9P+XbDeM0JM+FgleLIu /+H0gTpvYOATWne0Ryo+jyF/8XMc4oSsFaAL0Aj/KB1NeJnywRjTyCVxhZovWdUa Kd0oXSeE0/PyIrW4o83Ss+nZ2LoHPZitV+qqyykpqbu3pQaTZoqfg58NVOUWeGV5 QExQby2mwHGt6mlY4EpK9ebGSEdP+VKajAQErY0xsgvK/xnQKRHmlGb9alfmClWA WrGJr1J8Akwky1sKWFBtKRSFxuMS+B7rSbgQvQYm5kbXKr67yLIz8kqNtJ3maVKW dKjapUVq9VcRxcPocgrROXRlKF9knOesz3pEdFgdqgSNvmQf9u7GTXSd2D2tMwX/ tb7kH1oSNEl/fvZKmJadcvU7tFAXXLAJdnxGU8x/+3CEMLXlVLimNlEndlKktP5e CLUqmdkbaJqQl+7om0lJbCPbOSCR5JxVoC/oz93R9ZZqUkGXQ58ifXTIynyJL0k2 +NOwCA/LeGXMCxmmHlzSl2cc835ZAvbevAPlkNtvZqskQJn5QoLjz+tIzTGGuRLm UjxZ0UNEJI7gpEOkunnKMkE77qw8/gU2B6nnFsO+G+C3z68yOLKhkaMxp1XvnVLK m/Qgqf7OQY4YEq4ND26vHIpUuiFtrA8= X-Virus-Scanned: amavisd-new at mykolab.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-10 required=4.5 tests=[FREEMAIL_FROM=0.001] autolearn=disabled Received: from mx.kolabnow.com ([127.0.0.1]) by localhost (ext-mx-out003.mykolab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hftiJu9wRAMr; Sat, 15 Sep 2018 14:27:15 +0200 (CEST) Received: from int-mx002.mykolab.com (unknown [10.9.13.2]) by ext-mx-out003.mykolab.com (Postfix) with ESMTPS id A741C40406; Sat, 15 Sep 2018 14:27:15 +0200 (CEST) Received: from ext-subm003.mykolab.com (unknown [10.9.6.3]) by int-mx002.mykolab.com (Postfix) with ESMTPS id 1B7CB2570; Sat, 15 Sep 2018 14:27:14 +0200 (CEST) Date: Sat, 15 Sep 2018 14:27:11 +0200 From: Rutger Helling To: Arun Isaac Subject: Re: [bug#32465] Add iptables service Message-ID: <20180915142711.14d389f0@mykolab.com> In-Reply-To: References: <20180911085329.2c625c63@alma-ubu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/_Tm2DoK9yt6xWzFQ7CBUVm4"; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32465 Cc: =?UTF-8?B?QmrDtnJuIEjDtmZsaW5n?= , 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --Sig_/_Tm2DoK9yt6xWzFQ7CBUVm4 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hi everyone, sorry for the late reply. For the record, I'm not working on a nftables service. On Tue, 11 Sep 2018 14:13:03 +0530 Arun Isaac wrote: > > I have no knowledge about the firewall tools, I have no idea of how > > mature or accepted that is, I just thought it might be worth > > considering instead of writing 3 services. =20 >=20 > I have heard of nftables, but I haven't yet learnt how to use it. So, > for now, I'll just do 2 services (one for iptables, and another for > ip6tables). I think someone else who understands nftables should write > the nftables service. --Sig_/_Tm2DoK9yt6xWzFQ7CBUVm4 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEAVThuRzJ2e93ZI3n86cn20T8yjYFAluc+p8ACgkQ86cn20T8 yjbraQf/SO8/gXcZ+CxpwfAh+m4DUGNce+IZzA4/iKMbsfA4GWef1uUpzEQoPXK5 Ni29t02vXcOgoaD8EiRsRyvAZvoiIvCvEEzIVbDXcuSSDoiof6y2F/ZvaXdGImI3 YZu2yon2tuYier+7FYwsRrSgmRPi5tQFlGRnlHljz17kYMWRfi70UmrpZbuEDEzj 00fmSwo8ajU/sCyIslXOwTo0MW4NWXDPhMmhW59El2RbG/vaBb7yFHIunaOXcb1W OBpqoRKz/1+48wxw9ff3e8QBlbPQIuOvT36+BWd4fLgZHEWQCd1WjCzteBqBizsK 38xEfBwAEaFGzPZGZyUwsQt8xqsSlg== =TfzC -----END PGP SIGNATURE----- --Sig_/_Tm2DoK9yt6xWzFQ7CBUVm4-- From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 17 17:06:01 2018 Received: (at 32465) by debbugs.gnu.org; 17 Sep 2018 21:06:01 +0000 Received: from localhost ([127.0.0.1]:43416 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g20iW-0001Vp-Vr for submit@debbugs.gnu.org; Mon, 17 Sep 2018 17:06:01 -0400 Received: from eggs.gnu.org ([208.118.235.92]:43597) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g20iU-0001Va-V7 for 32465@debbugs.gnu.org; Mon, 17 Sep 2018 17:05:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g20iO-00070K-Pt for 32465@debbugs.gnu.org; Mon, 17 Sep 2018 17:05:53 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:58087) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g20iO-00070F-Kr; Mon, 17 Sep 2018 17:05:52 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=35678 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1g20iO-0003yt-Cn; Mon, 17 Sep 2018 17:05:52 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Arun Isaac Subject: Re: [bug#32465] Add iptables service References: <87lg8hbe0c.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Jour de la Vertu de =?utf-8?Q?l'Ann=C3=A9e?= 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Mon, 17 Sep 2018 23:05:50 +0200 In-Reply-To: (Arun Isaac's message of "Fri, 14 Sep 2018 16:29:09 +0530") Message-ID: <87va734yxd.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hi Arun, Arun Isaac skribis: > I generalized this service to work for both iptables and ip6tables. I > added system tests, and made the other corrections that were > suggested. Some questions follow. > > - Is the example I added for the iptables.rules sufficient? I couldn't > find upstream documentation for the iptables.rules format. I suspect > it doesn't exist. Do you know of any upstream documentation that can > be referred to here? >From a quick search it must be , specifically . > - In the attached patch, the fourth test ("inetd echo service is > accessible after iptables firewall is stopped") doesn't work. In that > service, I am trying to stop the iptables service, but I'm not able > to. How do I programmatically stop the iptables service? Is what I > have done correct? [...] > + (shepherd-service > + (documentation "Packet filtering framework") > + (provision '(iptables)) > + (start #~(lambda _ > + (invoke #$iptables-restore #$ipv4-rules) > + (invoke #$ip6tables-restore #$ipv6-rules))) > + (stop #~(lambda _ > + (invoke #$iptables-restore #$%iptables-accept-all-rule= s) > + (invoke #$ip6tables-restore #$%iptables-accept-all-rul= es)))))))) There=E2=80=99s a peculiarity of =E2=80=98stop=E2=80=99 which is that it mu= st return #f on success. So here, you just need to add a trailing #f after the second =E2=80=98invoke=E2=80=99 call. If you do that, I suppose the test that sto= ps the firewall will pass. And if it does, I think you can go ahead and push! :-) Thank you, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 18 02:24:45 2018 Received: (at 32465) by debbugs.gnu.org; 18 Sep 2018 06:24:45 +0000 Received: from localhost ([127.0.0.1]:43560 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g29RF-0003F4-Bs for submit@debbugs.gnu.org; Tue, 18 Sep 2018 02:24:45 -0400 Received: from vultr.systemreboot.net ([45.77.148.100]:33488) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g29RC-0003Ev-RC for 32465@debbugs.gnu.org; Tue, 18 Sep 2018 02:24:43 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=BdtSYFQg7BHOBpiTkOcSdVz0T9Mz78tJQXBVXmZI/iU=; b=oGi0AueZG9VV5pYkWJkFChzBPx s90NJ88Tf92ZY53fpjrY1ekzcOwgcWaQi7GHPxc1CbBZsTQ03h392sFywf9D5cfl73bOfZ05As2C/ vK065IngqazOPzvdGuU3Wv6vOxUUM6PUCPLiG+JE/hFoBYRZVUgkl+THyU2m4PbSCP4c=; Received: from [14.139.128.14] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1g29R8-0008R5-Hq; Tue, 18 Sep 2018 11:54:39 +0530 From: Arun Isaac To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#32465] Add iptables service In-Reply-To: <87va734yxd.fsf@gnu.org> References: <87lg8hbe0c.fsf@gnu.org> <87va734yxd.fsf@gnu.org> Date: Tue, 18 Sep 2018 11:54:31 +0530 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) >> - Is the example I added for the iptables.rules sufficient? I couldn't >> find upstream documentation for the iptables.rules format. I suspect >> it doesn't exist. Do you know of any upstream documentation that can >> be referred to here? > > From a quick search it must be , > specifically . This is general documentation for netfilter, not specific documentation about the iptables.rules format. For that, I don't think there is upstream documentation. https://unix.stackexchange.com/questions/400163/netfilter-iptables-restore-= file-format-documentation/400203 >> + (stop #~(lambda _ >> + (invoke #$iptables-restore #$%iptables-accept-all-rul= es) >> + (invoke #$ip6tables-restore #$%iptables-accept-all-ru= les)))))))) > > There=E2=80=99s a peculiarity of =E2=80=98stop=E2=80=99 which is that it = must return #f on > success. So here, you just need to add a trailing #f after the second > =E2=80=98invoke=E2=80=99 call. If you do that, I suppose the test that s= tops the > firewall will pass. There was one problem with stop-service being an unbound variable. I fixed that by adding (use-modules (gnu services herd)). But, now the test just freezes up. I wonder if it is waiting for some timeout. Here is the snippet for the test I am currently using. Also, returning #f from stop didn't make a difference. (test-assert "inetd echo service is accessible after iptables firewall is s= topped" (begin (marionette-eval '(begin (use-modules (gnu services herd)) (stop-service 'iptables)) marionette) (wait-for-tcp-port inetd-echo-port marionette #:timeout 5))) From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 18 10:40:01 2018 Received: (at 32465) by debbugs.gnu.org; 18 Sep 2018 14:40:01 +0000 Received: from localhost ([127.0.0.1]:44572 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2HAX-0005dK-3T for submit@debbugs.gnu.org; Tue, 18 Sep 2018 10:40:01 -0400 Received: from eggs.gnu.org ([208.118.235.92]:55012) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2HAV-0005d8-0n for 32465@debbugs.gnu.org; Tue, 18 Sep 2018 10:39:59 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g2HAL-0002C5-R4 for 32465@debbugs.gnu.org; Tue, 18 Sep 2018 10:39:53 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:46423) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g2HAL-0002Ap-1b; Tue, 18 Sep 2018 10:39:49 -0400 Received: from [193.50.110.53] (port=44088 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1g2HAJ-0002qu-0m; Tue, 18 Sep 2018 10:39:48 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Arun Isaac Subject: Re: [bug#32465] Add iptables service References: <87lg8hbe0c.fsf@gnu.org> <87va734yxd.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Jour du =?utf-8?Q?G=C3=A9nie?= de =?utf-8?Q?l'Ann?= =?utf-8?Q?=C3=A9e?= 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 18 Sep 2018 16:39:45 +0200 In-Reply-To: (Arun Isaac's message of "Tue, 18 Sep 2018 11:54:31 +0530") Message-ID: <878t3yj2dq.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hi, Arun Isaac skribis: >>> - Is the example I added for the iptables.rules sufficient? I couldn't >>> find upstream documentation for the iptables.rules format. I suspect >>> it doesn't exist. Do you know of any upstream documentation that can >>> be referred to here? >> >> From a quick search it must be , >> specifically . > > This is general documentation for netfilter, not specific documentation > about the iptables.rules format. For that, I don't think there is > upstream documentation. > > https://unix.stackexchange.com/questions/400163/netfilter-iptables-restor= e-file-format-documentation/400203 Oh indeed. >>> + (stop #~(lambda _ >>> + (invoke #$iptables-restore #$%iptables-accept-all-ru= les) >>> + (invoke #$ip6tables-restore #$%iptables-accept-all-r= ules)))))))) >> >> There=E2=80=99s a peculiarity of =E2=80=98stop=E2=80=99 which is that it= must return #f on >> success. So here, you just need to add a trailing #f after the second >> =E2=80=98invoke=E2=80=99 call. If you do that, I suppose the test that = stops the >> firewall will pass. > > There was one problem with stop-service being an unbound variable. I > fixed that by adding (use-modules (gnu services herd)). But, now the > test just freezes up. I wonder if it is waiting for some timeout. Here > is the snippet for the test I am currently using. Also, returning #f > from stop didn't make a difference. > > (test-assert "inetd echo service is accessible after iptables firewall is= stopped" > (begin > (marionette-eval > '(begin > (use-modules (gnu services herd)) > (stop-service 'iptables)) > marionette) > (wait-for-tcp-port inetd-echo-port marionette #:timeout 5))) Do you see any messages on the console? Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Tue Sep 18 12:02:43 2018 Received: (at 32465) by debbugs.gnu.org; 18 Sep 2018 16:02:43 +0000 Received: from localhost ([127.0.0.1]:44635 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2ISY-0007ph-U1 for submit@debbugs.gnu.org; Tue, 18 Sep 2018 12:02:43 -0400 Received: from vultr.systemreboot.net ([45.77.148.100]:37542) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2ISX-0007pY-2c for 32465@debbugs.gnu.org; Tue, 18 Sep 2018 12:02:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=YkvRqOJLIJPkIwip4ROjdtuw0jhXfB7QmN55Dx4W7KU=; b=XmWw+BetUH5P7SMKwSGawtVsI pGh1JKZ0UxtAdn5GpzU/PbddMmDR2JkadtDXT432FDjw0eUyFHRTEowjs4owkgf8umor05Z2RLko/ uZRPa+yFHt96OIq1Y+1vfUrnecYfNiczwyU0zVX+FIxDLQ9lFqB+EnQAx9zzJN6V4t+Po=; Received: from [103.5.134.173] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1g2ISS-0004wg-Dh; Tue, 18 Sep 2018 21:32:37 +0530 From: Arun Isaac To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#32465] Add iptables service In-Reply-To: <878t3yj2dq.fsf@gnu.org> References: <87lg8hbe0c.fsf@gnu.org> <87va734yxd.fsf@gnu.org> <878t3yj2dq.fsf@gnu.org> Date: Tue, 18 Sep 2018 21:32:28 +0530 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: >> (test-assert "inetd echo service is accessible after iptables firewall is stopped" >> (begin >> (marionette-eval >> '(begin >> (use-modules (gnu services herd)) >> (stop-service 'iptables)) >> marionette) >> (wait-for-tcp-port inetd-echo-port marionette #:timeout 5))) > > Do you see any messages on the console? [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 1.5 RCVD_IN_SORBS_WEB RBL: SORBS: sender is an abusable web server [103.5.134.173 listed in dnsbl.sorbs.net] 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) >> (test-assert "inetd echo service is accessible after iptables firewall is stopped" >> (begin >> (marionette-eval >> '(begin >> (use-modules (gnu services herd)) >> (stop-service 'iptables)) >> marionette) >> (wait-for-tcp-port inetd-echo-port marionette #:timeout 5))) > > Do you see any messages on the console? I see no relevant messages on the console. It just gets stuck at "komputilo login:". I could just skip this test, and push with a TODO comment in gnu/tests/networking.scm. WDYT? From debbugs-submit-bounces@debbugs.gnu.org Wed Sep 19 16:42:13 2018 Received: (at 32465) by debbugs.gnu.org; 19 Sep 2018 20:42:13 +0000 Received: from localhost ([127.0.0.1]:46061 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2jIb-0007Ux-Af for submit@debbugs.gnu.org; Wed, 19 Sep 2018 16:42:13 -0400 Received: from eggs.gnu.org ([208.118.235.92]:54724) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2jIZ-0007Uk-CE for 32465@debbugs.gnu.org; Wed, 19 Sep 2018 16:42:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g2jIT-0000Vo-8Q for 32465@debbugs.gnu.org; Wed, 19 Sep 2018 16:42:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:49586) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g2jIN-0000Rv-6i; Wed, 19 Sep 2018 16:41:59 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=33692 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1g2jIL-00058A-PD; Wed, 19 Sep 2018 16:41:59 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Arun Isaac Subject: Re: [bug#32465] Add iptables service References: <87lg8hbe0c.fsf@gnu.org> <87va734yxd.fsf@gnu.org> <878t3yj2dq.fsf@gnu.org> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Jour du Travail de =?utf-8?Q?l'Ann=C3=A9e?= 226 de la =?utf-8?Q?R=C3=A9volution?= X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Wed, 19 Sep 2018 22:41:56 +0200 In-Reply-To: (Arun Isaac's message of "Tue, 18 Sep 2018 21:32:28 +0530") Message-ID: <87k1nhdxt7.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 32465 Cc: 32465@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Arun Isaac skribis: >>> (test-assert "inetd echo service is accessible after iptables firewall = is stopped" >>> (begin >>> (marionette-eval >>> '(begin >>> (use-modules (gnu services herd)) >>> (stop-service 'iptables)) >>> marionette) >>> (wait-for-tcp-port inetd-echo-port marionette #:timeout 5))) >> >> Do you see any messages on the console? > > I see no relevant messages on the console. It just gets stuck at > "komputilo login:". > > I could just skip this test, and push with a TODO comment in > gnu/tests/networking.scm. WDYT? Yes, sounds good! Thank you, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Thu Sep 20 03:50:54 2018 Received: (at 32465-done) by debbugs.gnu.org; 20 Sep 2018 07:50:54 +0000 Received: from localhost ([127.0.0.1]:46282 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2tji-0001is-3G for submit@debbugs.gnu.org; Thu, 20 Sep 2018 03:50:54 -0400 Received: from vultr.systemreboot.net ([45.77.148.100]:48838) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g2tjf-0001ij-Vt for 32465-done@debbugs.gnu.org; Thu, 20 Sep 2018 03:50:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=systemreboot.net; s=default; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=2KTQT9Ih8mabdfaa7qYfRfoGfIHHFcxm9n15+pLG4vk=; b=gtXXlQq8Mn94lMcCTfNKq1ScX e1nyDXnR+UEyKpJ/Q3KGoH+2opxU+p42zkYv576Nl2g/i0Y+J/PciXP2boHmSdKMCrhKA1RA8w6sx h8UfZd1DFf2MBtqCScYq3ChB8rneATIFIOCZHR0CKgMMpaxkYxut5+PzWGLYkeSU9PEWw=; Received: from [14.139.128.13] (helo=steel) by systemreboot.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1g2tjb-0007zb-QZ; Thu, 20 Sep 2018 13:20:48 +0530 From: Arun Isaac To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: [bug#32465] Add iptables service In-Reply-To: <87k1nhdxt7.fsf@gnu.org> References: <87lg8hbe0c.fsf@gnu.org> <87va734yxd.fsf@gnu.org> <878t3yj2dq.fsf@gnu.org> <87k1nhdxt7.fsf@gnu.org> Date: Thu, 20 Sep 2018 13:20:40 +0530 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 32465-done Cc: 32465-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Pushed, thanks! From unknown Thu Aug 14 21:54:09 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Thu, 18 Oct 2018 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator