services: Modernize and test nftables service.

* doc/guix.texi (Networking Services) <nftables>: Update doc.
* gnu/services/networking.scm (list-of-debug-levels?):
(debug-level?, maybe-list-of-debug-levels?):
(nftables-configuration): Rewrite using `define-configuration'.
[debug-levels]: New field.
(nftables-shepherd-service): Honor it.
* gnu/tests/networking.scm (%inetd-echo-port): Extract to top level.
(run-iptables-test): Adjust accordingly.
(make-nftables-os): New procedure.
(%default-nftables-ruleset-for-tests): New variable.
(%nftables-os): Likewise.
(%test-nftables): New test.

Change-Id: I2889603342ff6d2be6261c3de6e4fddd9a9bbe2d

1 files changed, 28 insertions, 12 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index 65c64f022e..d69e6ed215 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -22632,32 +22632,48 @@ objects}).
 @end deftp
 
 @cindex nftables
+@cindex firewall, nftables
 @defvar nftables-service-type
-This is the service type to set up a nftables configuration.  nftables is a
-netfilter project that aims to replace the existing iptables, ip6tables,
+This is the service type to set up a nftables configuration.  nftables
+is a netfilter project that aims to replace the iptables, ip6tables,
 arptables and ebtables framework.  It provides a new packet filtering
-framework, a new user-space utility @command{nft}, and a compatibility layer
-for iptables.  This service comes with a default ruleset
-@code{%default-nftables-ruleset} that rejecting all incoming connections
-except those to the ssh port 22.  To use it, simply write:
+framework, a new user-space utility @command{nft}, and a compatibility
+layer for iptables.  This service comes with a default ruleset,
+@code{%default-nftables-ruleset}, that rejects all incoming connections
+except those to the SSH port 22 (TCP).  To use it, simply write:
 
 @lisp
 (service nftables-service-type)
 @end lisp
 @end defvar
 
+@c %start of fragment
+
 @deftp {Data Type} nftables-configuration
-The data type representing the configuration of nftables.
+Available @code{nftables-configuration} fields are:
 
 @table @asis
-@item @code{package} (default: @code{nftables})
-The nftables package that provides @command{nft}.
-@item @code{ruleset} (default: @code{%default-nftables-ruleset})
-The nftables ruleset to use.  This may be any ``file-like'' object
-(@pxref{G-Expressions, file-like objects}).
+@item @code{package} (default: @code{nftables}) (type: file-like)
+The @code{nftables} package to use.
+
+@item @code{debug-levels} (type: maybe-list-of-debug-levels)
+A list of debug levels, for enabling debugging output.  Valid debug
+level values are the @samp{scanner}, @samp{parser}, @samp{eval},
+@samp{netlink}, @samp{mnl}, @samp{proto-ctx}, @samp{segtree} or
+@samp{all} symbols.
+
+@item @code{ruleset} (type: file-like)
+A file-like object containing the complete nftables ruleset.  The
+default ruleset rejects all incoming connections except those to TCP
+port 22, with connections from the loopback interface are allowed.
+
 @end table
+
 @end deftp
 
+
+@c %end of fragment
+
 @cindex NTP (Network Time Protocol), service
 @cindex ntpd, service for the Network Time Protocol daemon
 @cindex real time clock