GNU bug report logs - #49540
[PATCH 0/2] services: nftables: Make it extandable

Previous Next

Package: guix-patches;

Reported by: Brice Waegeneire <brice <at> waegenei.re>

Date: Mon, 12 Jul 2021 21:06:02 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 49540 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#49540; Package guix-patches. (Mon, 12 Jul 2021 21:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Brice Waegeneire <brice <at> waegenei.re>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Mon, 12 Jul 2021 21:06:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire <brice <at> waegenei.re>
To: guix-patches <at> gnu.org
Cc: iyzsong <at> member.fsf.org, solene <at> perso.pw
Subject: [PATCH 0/2] services: nftables: Make it extandable
Date: Mon, 12 Jul 2021 23:05:43 +0200
This patchset make "nftables-service-type" extendable, so other services could
open port.  I wrote this to be able to use libvirt with nftables (another
patch is comming about that) like this:

--8<---------------cut here---------------start------------->8---
(simple-service 'nftables-libvirt nftables-service-type
                   (list "# Libvirt?
add rule inet guix forward ct state established,related accept
add rule inet guix forward iifname \"virbr*\" accept

add chain inet guix libvirt
insert rule inet guix input iifname \"virbr*\" jump libvirt
insert rule inet guix libvirt udp dport 53 accept
insert rule inet guix libvirt tcp dport 53 accept
insert rule inet guix libvirt udp dport 67 accept
"))
--8<---------------cut here---------------end--------------->8---

So this should make it possible to implement Solene's
"simple-firewall-service"¹ by simply extending "nftables-service-type".

Also, now, stopping nftables only remove the "guix" table so other software
can use their own namespaces without being purged when that service is
stopped.

WDYT?

¹ <https://issues.guix.gnu.org/48975>

Brice Waegeneire (2): services: nftables: Only manage delete our
own table.  services: nftables: Make it extendable.

 gnu/services/networking.scm | 51 +++++++++++++++++++++++++++++--------
 1 file changed, 41 insertions(+), 10 deletions(-)

-- 
2.31.1





Information forwarded to guix-patches <at> gnu.org:
bug#49540; Package guix-patches. (Mon, 12 Jul 2021 21:09:02 GMT) Full text and rfc822 format available.

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire <brice <at> waegenei.re>
To: guix-patches <at> gnu.org
Cc: iyzsong <at> member.fsf.org, solene <at> perso.pw
Subject: [PATCH 1/2] services: nftables: Only manage delete our own table.
Date: Mon, 12 Jul 2021 23:08:22 +0200
* gnu/services/networking.scm (%default-nftables-ruleset): Rename table
  from "forward" to "guix".  Clear table before applying before setting
  it up.
(nftables-shepherd-service): Don't flush all the table, just delete our
  own.
---
 gnu/services/networking.scm | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 1ae58041d3..3058c14caf 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -13,7 +13,7 @@
 ;;; Copyright © 2019, 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
 ;;; Copyright © 2019 Sou Bunnbu <iyzsong <at> member.fsf.org>
 ;;; Copyright © 2019 Alex Griffin <a <at> ajgrf.com>
-;;; Copyright © 2020 Brice Waegeneire <brice <at> waegenei.re>
+;;; Copyright © 2020, 2021 Brice Waegeneire <brice <at> waegenei.re>
 ;;; Copyright © 2021 Oleg Pykhalov <go.wigust <at> gmail.com>
 ;;; Copyright © 2021 Christopher Lemmer Webber <cwebber <at> dustycloud.org>
 ;;; Copyright © 2021 Maxime Devos <maximedevos <at> telenet.be>
@@ -1717,7 +1717,12 @@ COMMIT
 (define %default-nftables-ruleset
   (plain-file "nftables.conf"
               "# A simple and safe firewall
-table inet filter {
+
+# Start with our table clean of previous state
+add table inet guix
+delete table inet guix
+
+table inet guix {
   chain input {
     type filter hook input priority 0; policy drop;
 
@@ -1768,7 +1773,7 @@ table inet filter {
         (start #~(lambda _
                    (invoke #$nft "--file" #$ruleset)))
         (stop #~(lambda _
-                  (invoke #$nft "flush" "ruleset"))))))))
+                  (invoke #$nft "delete" "table" "inet" "guix"))))))))
 
 (define nftables-service-type
   (service-type
-- 
2.31.1





Information forwarded to guix-patches <at> gnu.org:
bug#49540; Package guix-patches. (Mon, 12 Jul 2021 21:09:02 GMT) Full text and rfc822 format available.

Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Brice Waegeneire <brice <at> waegenei.re>
To: guix-patches <at> gnu.org
Cc: iyzsong <at> member.fsf.org, solene <at> perso.pw
Subject: [PATCH 2/2] services: nftables: Make it extendable.
Date: Mon, 12 Jul 2021 23:08:23 +0200
* gnu/services/networking.scm (%default-nftables-rules): New variable…
(define-record-type): …replace %default-nftables-ruleset with it.
(%default-nftables-ruleset): Deprecate it.
(nftables-ruleset): New procedure…
(nftables-shepherd-service): …use it.
(nftables-service-type): Make it extendable.
---
 gnu/services/networking.scm | 40 ++++++++++++++++++++++++++++++-------
 1 file changed, 33 insertions(+), 7 deletions(-)

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 3058c14caf..53c06dcfed 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -1714,9 +1714,8 @@ COMMIT
 ;;; nftables
 ;;;
 
-(define %default-nftables-ruleset
-  (plain-file "nftables.conf"
-              "# A simple and safe firewall
+(define %default-nftables-rules
+  "# A simple and safe firewall
 
 # Start with our table clean of previous state
 add table inet guix
@@ -1752,7 +1751,11 @@ table inet guix {
     type filter hook output priority 0; policy accept;
   }
 }
-"))
+")
+
+(define-deprecated %default-nftables-ruleset
+  %default-nftables-rules
+  (plain-file "nftables.conf" %default-nftables-rules))
 
 (define-record-type* <nftables-configuration>
   nftables-configuration
@@ -1760,13 +1763,28 @@ table inet guix {
   nftables-configuration?
   (package nftables-configuration-package
            (default nftables))
-  (ruleset nftables-configuration-ruleset ; file-like object
-           (default %default-nftables-ruleset)))
+  ; file-like object | list of strings and file-like objects
+  (ruleset nftables-configuration-ruleset
+           (default (list %default-nftables-rules))))
+
+(define (nftables-ruleset ruleset)
+  (if (file-like? ruleset)
+      ruleset
+      (apply mixed-text-file
+             `("nftables.conf"
+               ,@(fold-right
+                 (lambda (rule result)
+                   (if (file-like? rule)
+                       (append (list "include \"" rule "\"\n") result)
+                       (append (list rule "\n") result)))
+                 '()
+                 ruleset)))))
 
 (define nftables-shepherd-service
   (match-lambda
     (($ <nftables-configuration> package ruleset)
-     (let ((nft (file-append package "/sbin/nft")))
+     (let ((nft (file-append package "/sbin/nft"))
+           (ruleset (nftables-ruleset ruleset)))
        (shepherd-service
         (documentation "Packet filtering and classification")
         (provision '(nftables))
@@ -1785,6 +1803,14 @@ table inet guix {
                              (compose list nftables-shepherd-service))
           (service-extension profile-service-type
                              (compose list nftables-configuration-package))))
+   (compose concatenate)
+   (extend (lambda (config additional-rules)
+             (let ((ruleset (nftables-configuration-ruleset config)))
+               (nftables-configuration
+                (inherit config)
+                (ruleset (if (list? ruleset)
+                             (append ruleset additional-rules)
+                             (cons* ruleset additional-rules)))))))
    (default-value (nftables-configuration))))
 
 
-- 
2.31.1





This bug report was last modified 2 years and 259 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.