Journey to an extensible nftables-service-type

2025-03-10

GNU Guix currently provides two services to manage a firewall, iptables-service-type and nftables-service-type. However both of them take a full list of rules as a configuration, with no possibility to use the extension mechanism for later modifications.

I think this is fine most of the time. However I was curious whether there is better way. The answer is "maybe". I have decided to base my system on nftables-service-type because I like the idea of having a single set of rules for both IPv4 and IPv6.

My first attempt was bad, really bad. I got too fixated on solving a general problem of providing an interface to manipulate nested alists, and I also tried too hard to do things "the Guix way" without understanding it fully. Setting the initial firewall (based on the default rules) was simple (though inelegant) enough.

(service
 nftables-service-type
 (nftables-configuration
  (tables
   (modify-nftables-tables %default-nftables-tables
     (mod 'inet
          (mod 'input
               (rep 'allow-ssh
                    (and open-sshd "tcp dport 2222 accept"))))))))

Each table, chain and rule had a label, and you could dig into the tree and modify it. The snippet above modifies (mod) table 'inet, chain 'input, where it replaces (rep) rule labeled 'allow-ssh with either the new rule or with #f. The #f is a special case meaning "ignore the rule".

This worked for adding the service itself, but when (more than a year later) I got to trying to add support for the extensions, it did not look good. The syntax was too verbose. I think because I was solving too general problem. One bad habit I got while writing in Guile is trying to figure out elegant, all encompassing approach. Sometimes I succeed, often I fail.

I tried to rethink the problem. What is it I want to achieve 99% of the cases? I have a locked down firewall, so typically I just want to open additional ports, preferably by an extension mechanism, so that the service using the port can open it for itself. So let us focus on that.

Adding the service (with default rules got simpler).

(service nftables-service-type)

Now, how do we change the ssh port, same as before?

(simple-service 'f-allow-ssh nftables-service-type
                (nftables-extension
                 (operation (if open-sshd
                                'replace
                                'delete))
                 (rule "tcp dport 2222 accept")
                 (replace-target "tcp dport ssh accept")))

We traded one weird special case (#f being ignored) for another (replace-target is used only for 'replace operation), but it looks nicer I think. And, more importantly, opening additional ports (which is our ultimate goal) got much easier.

(simple-service 'f-allow-http nftables-service-type
                (nftables-extension
                 (rule "tcp dport 80 accept")))

Since the default operation is 'append all we need to specify is the rule and nothing else. So far it seems to work well.

There is no documentation written yet, but you can check the code in my networking module. I will leave it cooking for some time more before sending this upstream. I need to see how this approach will work long time and how it will scale. Who knows, maybe I will need to redo it again.

That is all for today, see you next time.

ヾ(^∇^)

© 2025 Tomas Volf

This website is built with Haunt, a static site generator written in Guile Scheme.