GNU bug report logs - #32465
Add iptables service

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32465 in the body.
You can then email your comments to 32465 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: guix-patches <at> gnu.org
Subject: Add iptables service
Date: Fri, 17 Aug 2018 16:54:19 +0530

[Message part 1 (text/plain, inline)]

I have written a service to configure iptables rules. What tests should
I write for this service? I see the following two approaches to tests:

- Dump the iptables rules using iptables-save and verify that they
  matches the configured rules.
- Configure iptables to block certain ports and allow some other
  ports. Then, run a service on those ports and check if it is possible to
  reach them.

After we have iterated a few times, and converged on the final patch for
this service, I will also contribute a similar service for ip6tables.

[0001-gnu-services-Add-iptables-service.patch (text/x-patch, inline)]

From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001
From: Arun Isaac <arunisaac <at> systemreboot.net>
Date: Fri, 17 Aug 2018 16:39:07 +0530
Subject: [PATCH] gnu: services: Add iptables service.

* gnu/services/networking.scm (<iptables-configuration>): New record type.
(iptables-service-type): New variable.
* doc/guix.texi (Networking Services): Document it.
---
 doc/guix.texi               | 27 ++++++++++++++++++++++
 gnu/services/networking.scm | 45 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 0b72e5d8c..d5ff43811 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -11287,6 +11287,33 @@ Thus, it can be instantiated like this:
 @end lisp
 @end defvr
 
+@cindex iptables
+@defvr {Scheme Variabe} iptables-service-type
+This is the service type to set up an iptables coniguration. iptables is a
+packet filtering framework supported by the Linux kernel.  It can be
+instantiated as:
+
+@lisp
+(service iptables-service-type
+	 (iptables-configuration
+	  (rules (local-file "iptables.rules"))))
+@end lisp
+
+@deftp {Data Type} iptables-configuration
+The data type representing the configuration of @command{iptables}.
+
+@table @asis
+@item @code{iptables} (default: @code{iptables})
+The iptables package that provides @code{iptables-restore}.
+@item @code{rules}
+The iptables rules to use.  This is required.  It will be passed to
+@code{iptables-restore}.  This may be any ``file-like'' object
+(@pxref{G-Expressions, file-like objects}).
+@end table
+@end deftp
+
+@end defvr
+
 @cindex NTP
 @cindex real time clock
 @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index d5d0cf9d1..46e0ee3d0 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -7,6 +7,7 @@
 ;;; Copyright © 2017 Thomas Danckaert <post <at> thomasdanckaert.be>
 ;;; Copyright © 2017 Marius Bakke <mbakke <at> fastmail.com>
 ;;; Copyright © 2018 Tobias Geerinckx-Rice <me <at> tobias.gr>
+;;; Copyright © 2018 Arun Isaac <arunisaac <at> systemreboot.net>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -102,7 +103,13 @@
             wpa-supplicant-service-type
 
             openvswitch-service-type
-            openvswitch-configuration))
+            openvswitch-configuration
+
+            iptables-configuration
+            iptables-configuration?
+            iptables-configuration-iptables
+            iptables-configuration-rules
+            iptables-service-type))
 
 ;;; Commentary:
 ;;;
@@ -1086,4 +1093,40 @@ networking."))))
 switch designed to enable massive network automation through programmatic
 extension.")))
 
+;;;
+;;; iptables
+;;;
+
+(define-record-type* <iptables-configuration>
+  iptables-configuration make-iptables-configuration iptables-configuration?
+  (iptables iptables-configuration-iptables
+            (default iptables))
+  (rules iptables-configuration-rules))
+
+(define iptables-shepherd-service
+  (match-lambda
+    (($ <iptables-configuration> iptables rules)
+     (let ((iptables-restore (file-append iptables "/sbin/iptables-restore")))
+       (shepherd-service
+        (documentation "Packet filtering framework")
+        (provision '(iptables))
+        (start #~(lambda _ (invoke #$iptables-restore #$rules)))
+        (stop #~(lambda _ (invoke #$iptables-restore
+                                  #$(plain-file "iptables.rules"
+                                                "*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+COMMIT
+")))))))))
+
+(define iptables-service-type
+  (service-type
+   (name 'iptables)
+   (description
+    "Run @command{iptables-restore}, setting up the specified rules.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list iptables-shepherd-service))))))
+
 ;;; networking.scm ends here
-- 
2.18.0

Message #8 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Arun Isaac <arunisaac <at> systemreboot.net>
Cc: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Tue, 04 Sep 2018 15:14:59 +0200

Hello Arun,

Sorry for the delay, everyone must have been on vacations for a while.
:-)

Arun Isaac <arunisaac <at> systemreboot.net> skribis:

> I have written a service to configure iptables rules. What tests should
> I write for this service? I see the following two approaches to tests:
>
> - Dump the iptables rules using iptables-save and verify that they
>   matches the configured rules.
> - Configure iptables to block certain ports and allow some other
>   ports. Then, run a service on those ports and check if it is possible to
>   reach them.

Both approaches LGTM.

> After we have iterated a few times, and converged on the final patch for
> this service, I will also contribute a similar service for ip6tables.

Neat!

>>From 53e0b56ea0ee4de75ab8749b0ce0ad9a2eebe671 Mon Sep 17 00:00:00 2001
> From: Arun Isaac <arunisaac <at> systemreboot.net>
> Date: Fri, 17 Aug 2018 16:39:07 +0530
> Subject: [PATCH] gnu: services: Add iptables service.
>
> * gnu/services/networking.scm (<iptables-configuration>): New record type.
> (iptables-service-type): New variable.
> * doc/guix.texi (Networking Services): Document it.

[...]

> +@defvr {Scheme Variabe} iptables-service-type
> +This is the service type to set up an iptables coniguration. iptables is a
> +packet filtering framework supported by the Linux kernel.  It can be
> +instantiated as:
> +
> +@lisp
> +(service iptables-service-type
> +	 (iptables-configuration
> +	  (rules (local-file "iptables.rules"))))
> +@end lisp

“@end defvr” should be here.

What about adding either an “iptables.rules” example, a link to
upstream’s documentation, or both?

> +(define iptables-shepherd-service
> +  (match-lambda
> +    (($ <iptables-configuration> iptables rules)
> +     (let ((iptables-restore (file-append iptables "/sbin/iptables-restore")))
> +       (shepherd-service
> +        (documentation "Packet filtering framework")
> +        (provision '(iptables))
> +        (start #~(lambda _ (invoke #$iptables-restore #$rules)))
> +        (stop #~(lambda _ (invoke #$iptables-restore
> +                                  #$(plain-file "iptables.rules"
> +                                                "*filter
> +:INPUT ACCEPT [0:0]
> +:FORWARD ACCEPT [0:0]
> +:OUTPUT ACCEPT [0:0]
> +COMMIT
> +")))))))))

I was thinking that ‘stop’ might undo more than we want, but OTOH, when
the service starts, there are no rules loaded anyway.  So I guess this
is fine.

It would be great if you could get a system test as you suggest, but
anyhow it looks great to me.

Thanks,
Ludo’.

Message #11 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Tue, 04 Sep 2018 15:52:38 +0200

Hi,

it's not directly an answer to arun's patch (it is great), but I 
recently came accross firemason 
(http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and 
https://github.com/BillHallahan/FireMason) and I thought we could 
implement something similar. Basically, we declare a list of rules in 
the iptables service, and we let other services extend that. A rule 
would be a specification, independent of the order in which they are 
specified. "Any packet that matches this rule must be rejected".

Of course, this means that we may have conflicting specifications, for 
instance "any packet from this ip must be dropped" and "any packet 
entering on this port must be accepted" are in conflict for packets 
entering on this port from this ip address. All we need is a mechanism 
to explicit these cases (when a packet may be dropped or accepted at the 
same time), such as "repair: packets from this ip on this port must be 
dropped", so the service will effectively see these rules: "any packet 
from this ip must be dropped" and "any packet entering on this port but 
not this ip must be accepted", then translated to:

-A INPUT -s ! <ip> -p tcp --dport <port> -j ACCEPT
-A INPUT -s <ip> ACCEPT

(see how they are independent from the order in which they are 
declared?)

The hard part is to detect a conflict between two rules and give hints 
to the user as to how to fix that.

Of course, we should provide a mechanism to load files as a fallback, in 
which case additional rules from services should be ignored.

What do you think?



PS: Arun, in your patch for the manual you say: "This is the service 
type to set up an iptables coniguration". This should be 
"configuration".

Message #14 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Julien Lepiller <julien <at> lepiller.eu>, 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Wed, 05 Sep 2018 15:10:24 +0530

> it's not directly an answer to arun's patch (it is great), but I 
> recently came accross firemason 
> (http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and 
> https://github.com/BillHallahan/FireMason) and I thought we could 
> implement something similar.

This sounds interesting. I'll read about it, and if I can, try to
implement something similar for Guix.

> Of course, we should provide a mechanism to load files as a fallback, in 
> which case additional rules from services should be ignored.

Yes, I think this iptables service should exist independently as a
fallback. So, I'll finish and push these services before studying
firemason.

> PS: Arun, in your patch for the manual you say: "This is the service 
> type to set up an iptables coniguration". This should be 
> "configuration".

Sure, will fix this typo.

Message #17 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Wed, 05 Sep 2018 15:12:22 +0530

> It would be great if you could get a system test as you suggest, but
> anyhow it looks great to me.

I'll make the corrections you suggested, write the system test, and send
an updated patch.

Message #20 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Arun Isaac <arunisaac <at> systemreboot.net>
Cc: 32465 <at> debbugs.gnu.org, Julien Lepiller <julien <at> lepiller.eu>
Subject: Re: [bug#32465] Add iptables service
Date: Mon, 10 Sep 2018 14:51:58 +0200

Hello,

Arun Isaac <arunisaac <at> systemreboot.net> skribis:

>> it's not directly an answer to arun's patch (it is great), but I 
>> recently came accross firemason 
>> (http://www.cs.yale.edu/homes/zhai-ennan/firemason.pdf and 
>> https://github.com/BillHallahan/FireMason) and I thought we could 
>> implement something similar.
>
> This sounds interesting. I'll read about it, and if I can, try to
> implement something similar for Guix.

Agreed, it looks nice.

>> Of course, we should provide a mechanism to load files as a fallback, in 
>> which case additional rules from services should be ignored.
>
> Yes, I think this iptables service should exist independently as a
> fallback. So, I'll finish and push these services before studying
> firemason.

The nice thing is that we could detect conflicting iptables rules
statically if we wanted to: ‘guix system reconfigure’ would proceed if
and only if there are no conflicting rules.  I don’t know how difficult
and how annoying that could be, but it might be worth considering (as
future work…).

Thanks,
Ludo’.

Message #23 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
To: Arun Isaac <arunisaac <at> systemreboot.net>
Cc: 32465 <at> debbugs.gnu.org, Rutger Helling <rhelling <at> mykolab.com>
Subject: Re: [bug#32465] Add iptables service
Date: Tue, 11 Sep 2018 08:53:29 +0200

[Message part 1 (text/plain, inline)]

On Fri, 17 Aug 2018 16:54:19 +0530
Arun Isaac <arunisaac <at> systemreboot.net> wrote:

> After we have iterated a few times, and converged on the final patch
> for this service, I will also contribute a similar service for
> ip6tables.


Hi Arun,

thanks for the patch. I have one little comment:

During holidays I read an article about nftables:

https://netfilter.org/projects/nftables/
https://wiki.archlinux.org/index.php/nftables

It aims to be the successor for iptables and is ipv4, ipv6 and others
in one tool/ruleset.

I have no knowledge about the firewall tools, I have no idea of how
mature or accepted that is, I just thought it might be worth
considering instead of writing 3 services.

We already have the userspace package 'nftables' and 'libnftnl' thanks
to Rutger Helling. Maybe he knows more? I put him on CC.

Björn

[Message part 2 (application/pgp-signature, inline)]

Message #26 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>
Cc: 32465 <at> debbugs.gnu.org, Rutger Helling <rhelling <at> mykolab.com>
Subject: Re: [bug#32465] Add iptables service
Date: Tue, 11 Sep 2018 14:13:03 +0530

> I have no knowledge about the firewall tools, I have no idea of how
> mature or accepted that is, I just thought it might be worth
> considering instead of writing 3 services.

I have heard of nftables, but I haven't yet learnt how to use it. So,
for now, I'll just do 2 services (one for iptables, and another for
ip6tables). I think someone else who understands nftables should write
the nftables service.

Message #29 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Fri, 14 Sep 2018 16:29:09 +0530

[Message part 1 (text/plain, inline)]

Hi,

I generalized this service to work for both iptables and ip6tables. I
added system tests, and made the other corrections that were
suggested. Some questions follow.

- Is the example I added for the iptables.rules sufficient? I couldn't
  find upstream documentation for the iptables.rules format. I suspect
  it doesn't exist. Do you know of any upstream documentation that can
  be referred to here?
- In the attached patch, the fourth test ("inetd echo service is
  accessible after iptables firewall is stopped") doesn't work. In that
  service, I am trying to stop the iptables service, but I'm not able
  to. How do I programmatically stop the iptables service? Is what I
  have done correct?

Any other feedback is also welcome.

Thank you.

[0001-gnu-services-Add-iptables-service.patch (text/x-patch, attachment)]

Message #32 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Rutger Helling <rhelling <at> mykolab.com>
To: Arun Isaac <arunisaac <at> systemreboot.net>
Cc: Björn Höfling <bjoern.hoefling <at> bjoernhoefling.de>,
 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Sat, 15 Sep 2018 14:27:11 +0200

[Message part 1 (text/plain, inline)]

Hi everyone,

sorry for the late reply. For the record, I'm not working on a nftables
service.

On Tue, 11 Sep 2018 14:13:03 +0530
Arun Isaac <arunisaac <at> systemreboot.net> wrote:

> > I have no knowledge about the firewall tools, I have no idea of how
> > mature or accepted that is, I just thought it might be worth
> > considering instead of writing 3 services.  
> 
> I have heard of nftables, but I haven't yet learnt how to use it. So,
> for now, I'll just do 2 services (one for iptables, and another for
> ip6tables). I think someone else who understands nftables should write
> the nftables service.

[Message part 2 (application/pgp-signature, inline)]

Message #35 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Arun Isaac <arunisaac <at> systemreboot.net>
Cc: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Mon, 17 Sep 2018 23:05:50 +0200

Hi Arun,

Arun Isaac <arunisaac <at> systemreboot.net> skribis:

> I generalized this service to work for both iptables and ip6tables. I
> added system tests, and made the other corrections that were
> suggested. Some questions follow.
>
> - Is the example I added for the iptables.rules sufficient? I couldn't
>   find upstream documentation for the iptables.rules format. I suspect
>   it doesn't exist. Do you know of any upstream documentation that can
>   be referred to here?

From a quick search it must be <https://netfilter.org/documentation/>,
specifically <https://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html>.

> - In the attached patch, the fourth test ("inetd echo service is
>   accessible after iptables firewall is stopped") doesn't work. In that
>   service, I am trying to stop the iptables service, but I'm not able
>   to. How do I programmatically stop the iptables service? Is what I
>   have done correct?

[...]

> +       (shepherd-service
> +        (documentation "Packet filtering framework")
> +        (provision '(iptables))
> +        (start #~(lambda _
> +                   (invoke #$iptables-restore #$ipv4-rules)
> +                   (invoke #$ip6tables-restore #$ipv6-rules)))
> +        (stop #~(lambda _
> +                  (invoke #$iptables-restore #$%iptables-accept-all-rules)
> +                  (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))

There’s a peculiarity of ‘stop’ which is that it must return #f on
success.  So here, you just need to add a trailing #f after the second
‘invoke’ call.  If you do that, I suppose the test that stops the
firewall will pass.

And if it does, I think you can go ahead and push!  :-)

Thank you,
Ludo’.

Message #38 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Tue, 18 Sep 2018 11:54:31 +0530

>> - Is the example I added for the iptables.rules sufficient? I couldn't
>>   find upstream documentation for the iptables.rules format. I suspect
>>   it doesn't exist. Do you know of any upstream documentation that can
>>   be referred to here?
>
> From a quick search it must be <https://netfilter.org/documentation/>,
> specifically <https://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html>.

This is general documentation for netfilter, not specific documentation
about the iptables.rules format. For that, I don't think there is
upstream documentation.

https://unix.stackexchange.com/questions/400163/netfilter-iptables-restore-file-format-documentation/400203

>> +        (stop #~(lambda _
>> +                  (invoke #$iptables-restore #$%iptables-accept-all-rules)
>> +                  (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
>
> There’s a peculiarity of ‘stop’ which is that it must return #f on
> success.  So here, you just need to add a trailing #f after the second
> ‘invoke’ call.  If you do that, I suppose the test that stops the
> firewall will pass.

There was one problem with stop-service being an unbound variable. I
fixed that by adding (use-modules (gnu services herd)). But, now the
test just freezes up. I wonder if it is waiting for some timeout. Here
is the snippet for the test I am currently using. Also, returning #f
from stop didn't make a difference.

(test-assert "inetd echo service is accessible after iptables firewall is stopped"
  (begin
    (marionette-eval
     '(begin
        (use-modules (gnu services herd))
        (stop-service 'iptables))
     marionette)
    (wait-for-tcp-port inetd-echo-port marionette #:timeout 5)))

Message #41 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Arun Isaac <arunisaac <at> systemreboot.net>
Cc: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Tue, 18 Sep 2018 16:39:45 +0200

Hi,

Arun Isaac <arunisaac <at> systemreboot.net> skribis:

>>> - Is the example I added for the iptables.rules sufficient? I couldn't
>>>   find upstream documentation for the iptables.rules format. I suspect
>>>   it doesn't exist. Do you know of any upstream documentation that can
>>>   be referred to here?
>>
>> From a quick search it must be <https://netfilter.org/documentation/>,
>> specifically <https://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html>.
>
> This is general documentation for netfilter, not specific documentation
> about the iptables.rules format. For that, I don't think there is
> upstream documentation.
>
> https://unix.stackexchange.com/questions/400163/netfilter-iptables-restore-file-format-documentation/400203

Oh indeed.

>>> +        (stop #~(lambda _
>>> +                  (invoke #$iptables-restore #$%iptables-accept-all-rules)
>>> +                  (invoke #$ip6tables-restore #$%iptables-accept-all-rules))))))))
>>
>> There’s a peculiarity of ‘stop’ which is that it must return #f on
>> success.  So here, you just need to add a trailing #f after the second
>> ‘invoke’ call.  If you do that, I suppose the test that stops the
>> firewall will pass.
>
> There was one problem with stop-service being an unbound variable. I
> fixed that by adding (use-modules (gnu services herd)). But, now the
> test just freezes up. I wonder if it is waiting for some timeout. Here
> is the snippet for the test I am currently using. Also, returning #f
> from stop didn't make a difference.
>
> (test-assert "inetd echo service is accessible after iptables firewall is stopped"
>   (begin
>     (marionette-eval
>      '(begin
>         (use-modules (gnu services herd))
>         (stop-service 'iptables))
>      marionette)
>     (wait-for-tcp-port inetd-echo-port marionette #:timeout 5)))

Do you see any messages on the console?

Thanks,
Ludo’.

Message #44 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Tue, 18 Sep 2018 21:32:28 +0530

>> (test-assert "inetd echo service is accessible after iptables firewall is stopped"
>>   (begin
>>     (marionette-eval
>>      '(begin
>>         (use-modules (gnu services herd))
>>         (stop-service 'iptables))
>>      marionette)
>>     (wait-for-tcp-port inetd-echo-port marionette #:timeout 5)))
>
> Do you see any messages on the console?

I see no relevant messages on the console. It just gets stuck at
"komputilo login:".

I could just skip this test, and push with a TODO comment in
gnu/tests/networking.scm. WDYT?

Message #47 received at 32465 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Arun Isaac <arunisaac <at> systemreboot.net>
Cc: 32465 <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Wed, 19 Sep 2018 22:41:56 +0200

Arun Isaac <arunisaac <at> systemreboot.net> skribis:

>>> (test-assert "inetd echo service is accessible after iptables firewall is stopped"
>>>   (begin
>>>     (marionette-eval
>>>      '(begin
>>>         (use-modules (gnu services herd))
>>>         (stop-service 'iptables))
>>>      marionette)
>>>     (wait-for-tcp-port inetd-echo-port marionette #:timeout 5)))
>>
>> Do you see any messages on the console?
>
> I see no relevant messages on the console. It just gets stuck at
> "komputilo login:".
>
> I could just skip this test, and push with a TODO comment in
> gnu/tests/networking.scm. WDYT?

Yes, sounds good!

Thank you,
Ludo’.

Message #52 received at 32465-done <at> debbugs.gnu.org (full text, mbox):

From: Arun Isaac <arunisaac <at> systemreboot.net>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 32465-done <at> debbugs.gnu.org
Subject: Re: [bug#32465] Add iptables service
Date: Thu, 20 Sep 2018 13:20:40 +0530

Pushed, thanks!

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.