summary refs log tree commit diff
path: root/doc/guix.texi
diff options
context:
space:
mode:
authorArun Isaac <arunisaac@systemreboot.net>2018-08-17 16:39:07 +0530
committerArun Isaac <arunisaac@systemreboot.net>2018-09-20 13:09:55 +0530
commit9926b8f8096a0198cc34585bf7424eba0c98aee2 (patch)
tree030c3d31e6eb30560a08c50154dbfb43471c4352 /doc/guix.texi
parent3e63a83c0fa5621a272f0a43dc2dfcb46081804e (diff)
downloadguix-9926b8f8096a0198cc34585bf7424eba0c98aee2.tar.gz
gnu: services: Add iptables service.
* gnu/services/networking.scm (<iptables-configuration>): New record type.
(iptables-service-type): New variable.
* gnu/tests/networking.scm (run-iptables-test): New procedure.
(%test-iptables): New variable.
* doc/guix.texi (Networking Services): Document it.
Diffstat (limited to 'doc/guix.texi')
-rw-r--r--doc/guix.texi48
1 files changed, 48 insertions, 0 deletions
diff --git a/doc/guix.texi b/doc/guix.texi
index 8987b20fa9..b925485be5 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -11612,6 +11612,54 @@ Thus, it can be instantiated like this:
 @end lisp
 @end defvr
 
+@cindex iptables
+@defvr {Scheme Variable} iptables-service-type
+This is the service type to set up an iptables configuration. iptables is a
+packet filtering framework supported by the Linux kernel.  This service
+supports configuring iptables for both IPv4 and IPv6.  A simple example
+configuration rejecting all incoming connections except those to the ssh port
+22 is shown below.
+
+@lisp
+(service iptables-service-type
+         (iptables-configuration
+          (ipv4-rules (plain-file "iptables.rules" "*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+"))
+          (ipv6-rules (plain-file "ip6tables.rules" "*filter
+:INPUT ACCEPT
+:FORWARD ACCEPT
+:OUTPUT ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-port-unreachable
+COMMIT
+"))))
+@end lisp
+@end defvr
+
+@deftp {Data Type} iptables-configuration
+The data type representing the configuration of iptables.
+
+@table @asis
+@item @code{iptables} (default: @code{iptables})
+The iptables package that provides @code{iptables-restore} and
+@code{ip6tables-restore}.
+@item @code{ipv4-rules} (default: @code{%iptables-accept-all-rules})
+The iptables rules to use.  It will be passed to @code{iptables-restore}.
+This may be any ``file-like'' object (@pxref{G-Expressions, file-like
+objects}).
+@item @code{ipv6-rules} (default: @code{%iptables-accept-all-rules})
+The ip6tables rules to use.  It will be passed to @code{ip6tables-restore}.
+This may be any ``file-like'' object (@pxref{G-Expressions, file-like
+objects}).
+@end table
+@end deftp
+
 @cindex NTP
 @cindex real time clock
 @deffn {Scheme Procedure} ntp-service [#:ntp @var{ntp}] @