{"id":47612363,"url":"https://github.com/moolen/neuwerk-rs","last_synced_at":"2026-04-01T20:37:50.676Z","repository":{"id":342843343,"uuid":"1175173141","full_name":"moolen/neuwerk-rs","owner":"moolen","description":"πŸ›‘οΈ Cloud Native Egress Firewall","archived":false,"fork":false,"pushed_at":"2026-03-27T05:10:05.000Z","size":70689,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-03-27T17:41:33.112Z","etag":null,"topics":["dpdk","dpi","egress-filtering","firewall","tls"],"latest_commit_sha":null,"homepage":"http://neuwerk.io/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/moolen.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":"ROADMAP/API-AUTH.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-03-07T10:34:26.000Z","updated_at":"2026-03-26T23:08:37.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/moolen/neuwerk-rs","commit_stats":null,"previous_names":["moolen/neuwerk-rs"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/moolen/neuwerk-rs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fneuwerk-rs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fneuwerk-rs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fneuwerk-rs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fneuwerk-rs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/moolen","download_url":"https://codeload.github.com/moolen/neuwerk-rs/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/moolen%2Fneuwerk-rs/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31291736,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T13:12:26.723Z","status":"ssl_error","status_checked_at":"2026-04-01T13:12:25.102Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dpdk","dpi","egress-filtering","firewall","tls"],"created_at":"2026-04-01T20:37:49.857Z","updated_at":"2026-04-01T20:37:50.663Z","avatar_url":"https://github.com/moolen.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Neuwerk\n\nMost cloud environments accidentally allow outbound traffic to the entire internet.\n\nNot because teams are careless β€” but because modern infrastructure makes it hard to do the right thing. SaaS endpoints sit behind CDNs, IPs change constantly, and traditional firewalls still operate on static CIDR lists.\n\nMeanwhile, policy is written in hostnames:\n`api.stripe.com`, `*.github.com`, `s3.amazonaws.com`.\n\nThis project bridges that gap.\n\nIt turns DNS context into enforceable network policy by binding resolution events to packet filters implemented in a **high-performance DPDK dataplane**. The result is an egress firewall that understands **names, services, and intent**, not just IPs.\n\nNo proxies. No application changes. No vendor lock-in.\n\n---\n\n## Why This Exists\n\nMost egress controls today fall into one of three categories:\n\n- **IP-based firewalls** β€” incompatible with modern SaaS infrastructure\n- **HTTP proxies** β€” operationally painful and incomplete\n- **cloud-provider firewalls** β€” expensive and inconsistent across providers\n\nThe result is predictable: many environments quietly allow `0.0.0.0/0` on port 443.\n\nThis project provides a **programmable, DNS-aware enforcement layer** designed for modern infrastructure.\n\n---\n\n## Architecture\n\nThe system follows a strict **control-plane / data-plane separation**.\n\nThe **dataplane** is implemented with **DPDK**, allowing high-throughput packet inspection and filtering without relying on kernel networking stacks.\n\nThe **control plane** exposes an API that allows policy to be managed programmatically. Policies can be defined through infrastructure pipelines and automatically translated into runtime firewall rules.\n\nThis architecture provides:\n\n* high throughput\n* deterministic performance\n* programmable policy management\n* operational separation between enforcement and configuration\n\n---\n\n## Key Features\n\n### DNS-aware policy enforcement\n\nDNS responses are translated into short-lived IP sets and enforced in the DPDK dataplane.\n\n### TLS metadata filtering\n\nPolicies can match TLS metadata such as **SNI and certificate attributes** without terminating TLS.\n\n### Optional TLS deep packet inspection\n\nFor environments that require deeper inspection, encrypted flows can be analyzed while maintaining a transparent network path.\n\n### Kubernetes integration\n\nDesigned to integrate with Kubernetes networking and container workloads while enforcing policy outside the node trust boundary.\n\n### Infrastructure-as-Code control plane\n\nPolicy configuration integrates naturally with **Terraform and other IaC workflows**.\n\n### Cloud and vendor agnostic\n\nRuns anywhere Linux runs:\n\n- AWS\n- GCP\n- Azure\n- on-premises\n- hybrid environments\n\nNo dependency on proprietary cloud firewall products.\n\n---\n\n## What This Is (and Isn't)\n\nThis is not another heavyweight NGFW appliance.\n\nIt’s a **programmable, API-driven egress firewall** designed for modern infrastructure:\n\n- DNS-aware policy\n- high-performance DPDK dataplane\n- strict control-plane separation\n- cloud-agnostic deployment\n\nThe goal is simple:\n\n**make default-deny egress practical again.**\n\n---\n\n## Documentation\n\nStart with the operator and deployment material in this repository:\n\n- `docs/operations/` for appliance, runtime configuration reference, observability, backup, upgrade, and local demo workflows\n- packaged appliance runtime configuration is documented around `/etc/neuwerk/config.yaml`\n- `demo/vagrant/README.md` for the fastest local evaluation path\n- `terraform-provider-neuwerk/README.md` for Terraform automation coverage\n- `www/src/content/docs/` for the broader structured docs set that backs the project site\n\nFor API integrations, Neuwerk also exposes a generated OpenAPI document at runtime and ships a\nstatic docs copy under `www/public/openapi/`.\n\nTo refresh or verify the checked-in static OpenAPI artifact, use:\n\n- `make openapi.sync`\n- `make openapi.check`\n\n---\n\n## License\n\nNeuwerk is licensed under Apache License 2.0. See `LICENSE`.\n\n---\n\n## Local Benchmarking\n\nFor dataplane microbenchmarks, use the repo runner instead of ad hoc `cargo bench` commands:\n\n```bash\nmake bench.dataplane\nNEUWERK_BENCH_CORE=2 NEUWERK_BENCH_SAVE_BASELINE=before make bench.dataplane\nNEUWERK_BENCH_CORE=2 NEUWERK_BENCH_COMPARE_BASELINE=before make bench.dataplane\n```\n\nThe runner lives at `scripts/bench-dataplane.sh` and standardizes sample size, warm-up time, optional CPU affinity, optional nice level, and log capture under `target/criterion-runs/`.\n\nFor the feature-gated Rust surface, use:\n\n```bash\nmake test.all-features\n```\n\n## Project Status\n\n- Release readiness: `docs/operations/release-readiness.md`\n- Security contact: `security@neuwerk.io`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoolen%2Fneuwerk-rs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmoolen%2Fneuwerk-rs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmoolen%2Fneuwerk-rs/lists"}