{"id":16899924,"url":"https://github.com/gyulyvgc/nullnet-firewall","last_synced_at":"2025-03-17T06:32:01.201Z","repository":{"id":205957150,"uuid":"715141169","full_name":"GyulyVGC/nullnet-firewall","owner":"GyulyVGC","description":"Rust-based firewall for network drivers","archived":false,"fork":false,"pushed_at":"2024-07-26T19:43:29.000Z","size":184,"stargazers_count":24,"open_issues_count":2,"forks_count":2,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-03-16T09:12:19.313Z","etag":null,"topics":["firewall","network-programming","networking","rust","security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GyulyVGC.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-06T15:00:52.000Z","updated_at":"2025-03-07T21:09:15.000Z","dependencies_parsed_at":"2024-01-08T11:17:09.671Z","dependency_job_id":"94939535-9a30-4d20-9716-cdff51aff5d3","html_url":"https://github.com/GyulyVGC/nullnet-firewall","commit_stats":null,"previous_names":["gyulyvgc/nullnet-firewall"],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GyulyVGC%2Fnullnet-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GyulyVGC%2Fnullnet-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GyulyVGC%2Fnullnet-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GyulyVGC%2Fnullnet-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GyulyVGC","download_url":"https://codeload.github.com/GyulyVGC/nullnet-firewall/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243986307,"owners_count":20379303,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall","network-programming","networking","rust","security"],"created_at":"2024-10-13T17:50:56.331Z","updated_at":"2025-03-17T06:32:00.557Z","avatar_url":"https://github.com/GyulyVGC.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# nullnet-firewall\n\n[![Crates](https://img.shields.io/crates/v/nullnet-firewall?\u0026logo=rust)](https://crates.io/crates/nullnet-firewall)\n[![CI](https://github.com/gyulyvgc/nullnet-firewall/workflows/CI/badge.svg)](https://github.com/GyulyVGC/nullnet-firewall/actions/)\n[![Docs](https://docs.rs/nullnet-firewall/badge.svg)](https://docs.rs/nullnet-firewall/latest/)\n[![Codecov](https://codecov.io/gh/GyulyVGC/nullnet-firewall/graph/badge.svg?token=0KQNH1DV6Q)](https://codecov.io/gh/GyulyVGC/nullnet-firewall)\n\n**Rust-based firewall for network drivers.**\n\n## Purpose\n\nThis library is used to match network packets against a set of constraints (here called *firewall rules*)\nwith the aim of deciding whether to permit or deny incoming/outgoing traffic.\n\nGiven a set of firewall rules and a network packet, the library will *inform* the user\nabout *how* to handle the packet.\n\nThe library assumes that users are able to manipulate the stream of network packets in a way such\nit's possible to take proper actions to allow or deny the forwarding of single packets\nbetween the network card and the operating system; consequently, this framework is mainly intended\nto be used at the level of *network drivers*.\n\nEach of the packets passed to the firewall will be logged both in standard output\nand in a `SQLite` database with path `./log.sqlite`.\n\n## Firewall definition\n\nA new `Firewall` object is instantiated via the `Firewall::new` method.\n\nThe newly created firewall can be configured via `Firewall::set_rules`, which accepts as parameter\nthe path of a file defining a collection of firewall rules.\n\nEach of the **rules** defined in the file is placed on a new line and has the following structure:\n``` txt\n[+] DIRECTION ACTION [OPTIONS]\n```\n\n* Each rule can optionally be introduced by a `+` character; this will make the rule\n  have higher priority (quick rule).\n\n* `DIRECTION` can be either `IN` or `OUT` and represents the traffic directionality.\n\n* `ACTION` can be either `ACCEPT`, `DENY`, or `REJECT` and represents the action\nassociated with the rule.\n\n* For each rule, a list of **options** can be specified to match the desired traffic:\n  * `--dest`: destination IP addresses; the value is expressed in the form of a comma-separated\n    list of IP addresses, in which each entry can also represent an address range (using the `-` character).\n  * `--dport`: destination transport ports; the value is expressed in the form of a comma-separated\n    list of port numbers, in which each entry can also represent a port range (using the `:` character).\n  * `--icmp-type`: ICMP message type; the value is expressed as a number representing\n    a specific message type (see [here](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types) for more info).\n  * `--log-level`: logging strategy to use for traffic matching the rule; possible values are `off`, `console`, `db`, `all`.\n  * `--proto`: Internet Protocol number; the value is expressed as a number representing\n    a specific protocol number (see [here](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml#protocol-numbers-1) for more info).\n  * `--source`: source IP addresses; the value is expressed in the form of a comma-separated\n    list of IP addresses, in which each entry can also represent an address range (using the `-` character).\n  * `--sport`: source transport ports; the value is expressed in the form of a comma-separated\n    list of port numbers, in which each entry can also represent a port range (using the `:` character).\n\nA **sample** firewall configuration file is reported in the following:\n\n``` text\n# Firewall rules (this is a comment line)\n\nIN REJECT --source 8.8.8.8 --log-level off\n# Rules marked with '+' have higher priority\n+ IN ACCEPT --source 8.8.8.0-8.8.8.10 --sport 8\nOUT ACCEPT --source 8.8.8.8,7.7.7.7 --dport 900:1000,1,2,3\nOUT DENY\n```\n\nIn case of invalid firewall configurations, a specific `FirewallError` will be raised.\n\n## Usage\n\nA defined `Firewall` object can be used to determine which action to take for each\nof the network packets in transit.\n\nThis is done by invoking `Firewall::resolve_packet`, which will answer with the\naction to take for the supplied packet.\n\n``` rust\nuse nullnet_firewall::{Firewall, FirewallDirection, FirewallAction};\n\n// build the firewall from the rules in a file\nlet mut firewall = Firewall::new();\nfirewall.set_rules(\"./samples/firewall.txt\").unwrap();\n\n// here we suppose to have an incoming packet to match against the firewall\nlet packet = [/* ... */];\n\n// determine action for packet\nlet action = firewall.resolve_packet(\u0026packet, FirewallDirection::IN);\n\n// act accordingly\nmatch action {\n    FirewallAction::ACCEPT =\u003e {/* ... */}\n    FirewallAction::DENY =\u003e {/* ... */}\n    FirewallAction::REJECT =\u003e {/* ... */}\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgyulyvgc%2Fnullnet-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgyulyvgc%2Fnullnet-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgyulyvgc%2Fnullnet-firewall/lists"}