From patchwork Fri Sep 13 10:17:54 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?b?5a6L5paH5q2m?= <iyzsong@member.fsf.org>
X-Patchwork-Id: 15363
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id CFD2D173C2; Fri, 13 Sep 2019 11:22:00 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UNPARSEABLE_RELAY,
	URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTP id 7FB8417372
	for <patchwork@mira.cbaines.net>; Fri, 13 Sep 2019 11:22:00 +0100 (BST)
Received: from localhost ([::1]:42088 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1i8iiF-0005h9-Lj
	for patchwork@mira.cbaines.net; Fri, 13 Sep 2019 06:21:59 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:33993)
 by lists.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1i8ifQ-0003T7-6g
 for guix-patches@gnu.org; Fri, 13 Sep 2019 06:19:05 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1i8ifO-0002G4-Rb
 for guix-patches@gnu.org; Fri, 13 Sep 2019 06:19:04 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:35580)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
 (Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1i8ifO-0002Fy-Nv
 for guix-patches@gnu.org; Fri, 13 Sep 2019 06:19:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1i8ifO-0007eC-I8
 for guix-patches@gnu.org; Fri, 13 Sep 2019 06:19:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#37398] [PATCH 2/2] services: Add nftables-service-type.
Resent-From: =?utf-8?b?5a6L5paH5q2m?= <iyzsong@member.fsf.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Fri, 13 Sep 2019 10:19:02 +0000
Resent-Message-ID: <handler.37398.B37398.156836989729332@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 37398
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 37398@debbugs.gnu.org
Received: via spool by 37398-submit@debbugs.gnu.org id=B37398.156836989729332
 (code B ref 37398); Fri, 13 Sep 2019 10:19:02 +0000
Received: (at 37398) by debbugs.gnu.org; 13 Sep 2019 10:18:17 +0000
Received: from localhost ([127.0.0.1]:44400 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1i8iee-0007d2-Od
 for submit@debbugs.gnu.org; Fri, 13 Sep 2019 06:18:17 -0400
Received: from rezeros.cc ([45.76.207.221]:60292)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <iyzsong@member.fsf.org>) id 1i8iec-0007ce-5i
 for 37398@debbugs.gnu.org; Fri, 13 Sep 2019 06:18:15 -0400
Received: from localhost (117.173.227.57 [117.173.227.57])
 by rezeros.cc (OpenSMTPD) with ESMTPSA id a99e656c
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO);
 Fri, 13 Sep 2019 10:18:11 +0000 (UTC)
Received: from localhost (localhost [local])
 by localhost (OpenSMTPD) with ESMTPA id 74d81ee1;
 Fri, 13 Sep 2019 10:17:56 +0000 (UTC)
From: =?utf-8?b?5a6L5paH5q2m?= <iyzsong@member.fsf.org>
Date: Fri, 13 Sep 2019 18:17:54 +0800
Message-Id: <20190913101754.4483-2-iyzsong@member.fsf.org>
X-Mailer: git-send-email 2.19.2
In-Reply-To: <20190913101754.4483-1-iyzsong@member.fsf.org>
References: <20190913101754.4483-1-iyzsong@member.fsf.org>
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 209.51.188.43
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Cc: =?utf-8?b?5a6L5paH5q2m?= <iyzsong@member.fsf.org>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-getmail-retrieved-from-mailbox: Patches

* gnu/services/networking.scm (%default-nftables-ruleset): New variable.
(<nftables-configuration>): New record type.
(nftables-shepherd-service): New procedure.
(nftables-service-type): New service type.
* doc/guix.texi (Networking Services): Document it.
---
 doc/guix.texi               | 27 ++++++++++++
 gnu/services/networking.scm | 82 ++++++++++++++++++++++++++++++++++++-
 2 files changed, 108 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 39d4b865f6..e71f0a44c9 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -13041,6 +13041,33 @@ objects}).
 @end table
 @end deftp
 
+@cindex nftables
+@defvr {Scheme Variable} nftables-service-type
+This is the service type to set up a nftables configuration.  nftables is a
+netfilter project that aims to replace the existing iptables, ip6tables,
+arptables and ebtables framework.  It provides a new packet filtering
+framework, a new user-space utility @command{nft}, and a compatibility layer
+for iptables.  This service comes with a default ruleset
+@code{%default-nftables-ruleset} that rejecting all incomming connections
+except those to the ssh port 22.  To use it, simply write:
+
+@lisp
+(service nftables-service-type)
+@end lisp
+@end defvr
+
+@deftp {Data Type} nftables-configuration
+The data type representing the configuration of nftables.
+
+@table @asis
+@item @code{package} (default: @code{nftables})
+The nftables package that provides @command{nft}.
+@item @code{ruleset} (default: @code{%default-nftables-ruleset})
+The nftables ruleset to use.  This may be any ``file-like'' object
+(@pxref{G-Expressions, file-like objects}).
+@end table
+@end deftp
+
 @cindex NTP (Network Time Protocol), service
 @cindex ntpd, service for the Network Time Protocol daemon
 @cindex real time clock
diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index c775242f99..dd63009116 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -11,6 +11,7 @@
 ;;; Copyright © 2018 Arun Isaac <arunisaac@systemreboot.net>
 ;;; Copyright © 2019 Florian Pelz <pelzflorian@pelzflorian.de>
 ;;; Copyright © 2019 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2019 Sou Bunnbu <iyzsong@member.fsf.org>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -144,7 +145,14 @@
             iptables-configuration-iptables
             iptables-configuration-ipv4-rules
             iptables-configuration-ipv6-rules
-            iptables-service-type))
+            iptables-service-type
+
+            nftables-service-type
+            nftables-configuration
+            nftables-configuration?
+            nftables-configuration-package
+            nftables-configuration-ruleset
+            %default-nftables-ruleset))
 
 ;;; Commentary:
 ;;;
@@ -1415,4 +1423,76 @@ COMMIT
     (list (service-extension shepherd-root-service-type
                              (compose list iptables-shepherd-service))))))
 
+;;;
+;;; nftables
+;;;
+
+(define %default-nftables-ruleset
+  (plain-file "nftables.conf"
+              "# A simple and safe firewall
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop;
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # allow ssh
+    tcp dport ssh accept
+
+    # reject everything else
+    reject with icmpx type port-unreachable
+  }
+  chain forward {
+    type filter hook forward priority 0; policy drop;
+  }
+  chain output {
+    type filter hook output priority 0; policy accept;
+  }
+}
+"))
+
+(define-record-type* <nftables-configuration>
+  nftables-configuration
+  make-nftables-configuration
+  nftables-configuration?
+  (package nftables-configuration-package
+           (default nftables))
+  (ruleset nftables-configuration-ruleset ; file-like object
+           (default %default-nftables-ruleset)))
+
+(define nftables-shepherd-service
+  (match-lambda
+    (($ <nftables-configuration> package ruleset)
+     (let ((nft (file-append package "/sbin/nft")))
+       (shepherd-service
+        (documentation "Packet filtering and classification")
+        (provision '(nftables))
+        (start #~(lambda _
+                   (invoke #$nft "--file" #$ruleset)))
+        (stop #~(lambda _
+                  (invoke #$nft "flush" "ruleset"))))))))
+
+(define nftables-service-type
+  (service-type
+   (name 'nftables)
+   (description
+    "Run @command{nft}, setting up the specified ruleset.")
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             (compose list nftables-shepherd-service))
+          (service-extension profile-service-type
+                             (compose list nftables-configuration-package))))
+   (default-value (nftables-configuration))))
+
 ;;; networking.scm ends here