{"id":17987719,"url":"https://github.com/diekmann/iptables_semantics","last_synced_at":"2025-09-05T13:48:13.996Z","repository":{"id":21033906,"uuid":"24330320","full_name":"diekmann/Iptables_Semantics","owner":"diekmann","description":"Verified iptables Firewall Ruleset Analysis","archived":false,"fork":false,"pushed_at":"2024-06-28T12:57:54.000Z","size":10483,"stargazers_count":98,"open_issues_count":14,"forks_count":13,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-09-04T06:46:04.912Z","etag":null,"topics":["access-control","firewall","haskell","iptables","ipv4","ipv6","isabelle","security"],"latest_commit_sha":null,"homepage":"http://iptables.isabelle.systems/","language":"Isabelle","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/diekmann.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2014-09-22T13:46:04.000Z","updated_at":"2025-05-20T15:03:57.000Z","dependencies_parsed_at":"2025-09-04T06:31:32.484Z","dependency_job_id":"27ab8f3a-c5b4-40a0-9905-ae3dba75a21f","html_url":"https://github.com/diekmann/Iptables_Semantics","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/diekmann/Iptables_Semantics","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diekmann%2FIptables_Semantics","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diekmann%2FIptables_Semantics/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diekmann%2FIptables_Semantics/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diekmann%2FIptables_Semantics/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/diekmann","download_url":"https://codeload.github.com/diekmann/Iptables_Semantics/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/diekmann%2FIptables_Semantics/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273767656,"owners_count":25164462,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-05T02:00:09.113Z","response_time":402,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","firewall","haskell","iptables","ipv4","ipv6","isabelle","security"],"created_at":"2024-10-29T19:09:28.772Z","updated_at":"2025-09-05T13:48:13.947Z","avatar_url":"https://github.com/diekmann.png","language":"Isabelle","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Iptables_Semantics\n\nA formal semantics of the Linux netfilter iptables firewall.\nWritten in the [Isabelle](https://isabelle.in.tum.de/) interactive proof assistant.\n\nIt features\n  * A real-world model of IPv4/IPv6 addresses as 32bit/128bit machine words.\n  * Executable code.\n  * Support for all common actions in the iptables filter table: ACCEPT, DROP, REJECT, LOG, calling to user-defined chains, RETURN, GOTO to terminal chains, the empty action.\n  * Support for ALL primitive match conditions (by abstracting over unknown match conditions).\n  * Translation to a simplified firewall model.\n  * Certification of spoofing protection.\n  * Service Matrices: For a fixed port, which IP addresses are allowed to connect which other IP addresses? Shows a partition of the complete IPv4/IPv6 addresses.\n  * ...\n\n\n[![isabelle/hol logo](https://raw.githubusercontent.com/diekmann/Iptables_Semantics/master/images/isabelle.png \"Isabelle/HOL\")](http://isabelle.in.tum.de/)\n\n\n### Obtaining\n```\n$ git clone https://github.com/diekmann/Iptables_Semantics.git\n```\n\n---\n\n## Haskell Tool\n\nDon't want to install Isabelle? Don't want to mess with formulas or proofs? Just want a working tool? Cool, checkout our [stand-alone Haskell tool](./haskell_tool/)!\n\n[![FFFUU logo](http://i.imgur.com/qc4dNKl.png \"FFFUU\")](./haskell_tool/)\n\n| Component             | Status |\n| --------------------- | ------ |\n| Haskell tool          | [![Build Status](https://travis-ci.org/diekmann/Iptables_Semantics.svg)](https://travis-ci.org/diekmann/Iptables_Semantics) |\n\nSee README.md in [haskell_tool](./haskell_tool/).\n\n\n---\n\n## Further References\n\n### Talks\n  * 32C3: Verified Firewall Ruleset Verification, Cornelius Diekmann, Hamburg, Germany, December 2015 [[description]](https://events.ccc.de/congress/2015/Fahrplan/events/7195.html) [[video]](https://media.ccc.de/v/32c3-7195-verified_firewall_ruleset_verification#video) [[youtube mirror]](https://www.youtube.com/watch?v=VtfeNiF9pbo)\n  \n  [![youtube video thumbnail](https://img.youtube.com/vi/VtfeNiF9pbo/mqdefault.jpg)](https://media.ccc.de/v/32c3-7195-verified_firewall_ruleset_verification)\n\n### Academic Publications\n\n  * Cornelius Diekmann, Lars Hupel, Julius Michaelis, Maximilian Haslbeck, Georg Carle. *Verified iptables Firewall Analysis and Verification.* In Journal of Automated Reasoning, January 2018. [[preprint]](https://lars.hupel.info/pub/verified-iptables.pdf), [[springer]](https://link.springer.com/article/10.1007%2Fs10817-017-9445-1)\n  * Cornelius Diekmann, *Provably Secure Networks: Methodology and Toolset for Configuration Management.* PhD thesis, Technische Universität München, July 2017. [[preprint]](https://arxiv.org/abs/1708.08228), [[mediatum]](https://mediatum.ub.tum.de/?id=1350756)\n  * Cornelius Diekmann, Julius Michaelis, Maximilian Haslbeck, and Georg Carle. *Verified iptables Firewall Analysis.* In IFIP Networking 2016, Vienna, Austria, May 2016. [[preprint]](http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/verified_iptables_firewall_analysis.pdf), [[ifip]](http://dl.ifip.org/db/conf/networking/networking2016/1570232858.pdf)\n  * Cornelius Diekmann, Lukas Schwaighofer, and Georg Carle. *Certifying spoofing-protection of firewalls.* In 11th International Conference on Network and Service Management, CNSM, Barcelona, Spain, November 2015. [[preprint]](http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/diekmann2015_cnsm.pdf), [[ieee | paywall]](http://ieeexplore.ieee.org/document/7367354/)\n  * Cornelius Diekmann, Lars Hupel, and Georg Carle. *Semantics-Preserving Simplification of Real-World Firewall Rule Sets.* In 20th International Symposium on Formal Methods, June 2015. [[preprint]](http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/fm15_Semantics-Preserving_Simplification_of_Real-World_Firewall_Rule_Sets.pdf), [[springer | paywall]](http://link.springer.com/chapter/10.1007%2F978-3-319-19249-9_13)\n\nThe raw data of the iptables rulesets from the Examples is stored in [this](https://github.com/diekmann/net-network) repositoy.\n\n---\n\n\n## Isabelle Theory Files\n\n\nThis repository is probably not up to date and still uses Isabelle2016-1. **Get the theories for the current Isabelle release directly from the [afp](https://www.isa-afp.org/entries/Iptables_Semantics.shtml)**.\n\nChecking all proofs:\n\n```\n$ isabelle build -v -D . -o document=pdf\n```\nThis needs about 14 CPU hours (about 7 hours real time on an x220, i7 2.7GHz, 16GB ram).\nThe session `Iptables_Semantics_Examples_Large1` needs about 5-6 hours CPU time and `Iptables_Semantics_Examples_Large2` needs about 7 hours of CPU time; you may want to skip those.\n\n\nBuilding the documentation:\n\n```\n$ isabelle build -d . -v -o document=pdf Iptables_Semantics_Documentation\n```\nThe build takes less than 10 minutes on my laptop (14min CPU time, 2 threads).\nThe documentation summarizes the most important definitions and theorems.\nIt is deliberately very very brief and only provides results.\nIt should contain the summarizing correctness theorems for all executable functions we export.\nThis is probably the best point to get started working with the theory files.\n\n\nTo develop, we suggest to load the Bitmagic theory as heap-image:\n```\n$ isabelle jedit -d . -l Bitmagic\n```\n\nCheck the Examples directory to get started\n\n---\n\n### Contributors\n   * [Cornelius Diekmann](http://www.net.in.tum.de/~diekmann/)\n   * [Lars Hupel](http://lars.hupel.info/)\n   * [Julius Michaelis](http://liftm.de)\n   * Max Haslbeck\n   * Stephan-A. Posselt\n   * Lars Noschinski\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdiekmann%2Fiptables_semantics","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdiekmann%2Fiptables_semantics","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdiekmann%2Fiptables_semantics/lists"}