MCPcopy Index your code
hub / github.com/GyulyVGC/nullnet-firewall

github.com/GyulyVGC/nullnet-firewall @v0.2.2

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2.2 ↗ · + Follow
211 symbols 312 edges 21 files 8 documented · 4%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

nullnet-firewall

Crates CI Docs Codecov

Rust-based firewall for network drivers.

Purpose

This library is used to match network packets against a set of constraints (here called firewall rules) with the aim of deciding whether to permit or deny incoming/outgoing traffic.

Given a set of firewall rules and a network packet, the library will inform the user about how to handle the packet.

The library assumes that users are able to manipulate the stream of network packets in a way such it's possible to take proper actions to allow or deny the forwarding of single packets between the network card and the operating system; consequently, this framework is mainly intended to be used at the level of network drivers.

Each of the packets passed to the firewall will be logged both in standard output and in a SQLite database with path ./log.sqlite.

Firewall rules definition

A new Firewall object is defined as a set of rules specified in a textual file.

Each of the rules defined in the file is placed on a new line and has the following structure:

[+] DIRECTION ACTION [OPTIONS]
  • Each rule can optionally be introduced by a + character; this will make the rule have higher priority (quick rule).

  • DIRECTION can be either IN or OUT and represents the traffic directionality.

  • ACTION can be either ACCEPT, DENY, or REJECT and represents the action associated with the rule.

  • For each rule, a list of options can be specified to match the desired traffic:

  • --dest: destination IP addresses; the value is expressed in the form of a comma-separated list of IP addresses, in which each entry can also represent an address range (using the - character).
  • --dport: destination transport ports; the value is expressed in the form of a comma-separated list of port numbers, in which each entry can also represent a port range (using the : character).
  • --icmp-type: ICMP message type; the value is expressed as a number representing a specific message type (see here for more info).
  • --proto: Internet Protocol number; the value is expressed as a number representing a specific protocol number (see here for more info).
  • --source: source IP addresses; the value is expressed in the form of a comma-separated list of IP addresses, in which each entry can also represent an address range (using the - character).
  • --sport: source transport ports; the value is expressed in the form of a comma-separated list of port numbers, in which each entry can also represent a port range (using the : character).

A sample firewall configuration file is reported in the following:

# Firewall rules (this is a comment line)

IN REJECT --source 8.8.8.8
# Rules marked with '+' have higher priority
+ IN ACCEPT --source 8.8.8.0-8.8.8.10 --sport 8
OUT ACCEPT --source 8.8.8.8,7.7.7.7 --dport 900:1000,1,2,3
OUT DENY

In case of invalid firewall configurations, a specific FirewallError will be raised.

Usage

A defined Firewall object can be used to determine which action to take for each of the netwrok packets in transit.

This is done by invoking Firewall::resolve_packet, which will answer with the action to take for the supplied packet.

use nullnet_firewall::{Firewall, FirewallDirection, FirewallAction};

// build the firewall from the rules in a file
let firewall = Firewall::new("./samples/firewall.txt").unwrap();

// here we suppose to have a packet to match against the firewall
let packet = [/* ... */];

// determine action for packet, supposing incoming direction for packet
let action = firewall.resolve_packet(&packet, FirewallDirection::IN);

// act accordingly
match action {
    FirewallAction::ACCEPT => {/* ... */}
    FirewallAction::DENY => {/* ... */}
    FirewallAction::REJECT => {/* ... */}
}

Core symbols most depended-on inside this repo

add_entry
called by 14
src/logs/logger.rs
get_error_file_path
called by 13
src/lib.rs
policy_in
called by 7
src/lib.rs
policy_out
called by 7
src/lib.rs
retrieve_all_packets
called by 5
src/logs/logger.rs
contains
called by 5
src/utils/ip_collection.rs
create_table
called by 3
src/logs/logger.rs
update_rules
called by 2
src/lib.rs

Shape

Function 151
Method 45
Class 9
Enum 6

Languages

Rust100%

Modules by API surface

src/lib.rs34 symbols
src/firewall_option.rs30 symbols
src/logs/log_ip.rs23 symbols
src/fields/transport_header.rs18 symbols
src/fields/ip_header.rs18 symbols
src/firewall_rule.rs15 symbols
src/utils/ip_collection.rs13 symbols
src/utils/port_collection.rs12 symbols
src/logs/logger.rs12 symbols
src/logs/log_entry.rs8 symbols
src/logs/log_timestamp.rs7 symbols
src/firewall_direction.rs6 symbols

For agents

$ claude mcp add nullnet-firewall \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact