waf-wasm
A Proxy-Wasm plugin runtime for Light WAF — a fast, modular Layer-7 Web Application Firewall reverse proxy in Rust.
It loads a .wasm filter and exposes it as a waf_core::WafModule,
so you can extend the WAF with custom logic without forking the core ([modules.wasm],
default off).
Design
- Engine —
wasmi, a pure-Rust interpreter (no JIT, no C toolchain). Pinned to the exact version validated for reentrantmalloc+ fuel + memory-cap traps. - Execution model — the WAF is buffer-then-inspect, so per request the host runs the
Proxy-Wasm request-path callbacks in one shot (
end_of_stream = true) and maps a capturedproxy_send_local_responseto aDecision. The plugin never writes the response itself — the pipeline decides (detection-only stays safe). - DoS posture — fuel is reset per request (a latency ceiling, not just a kill-switch),
memory is capped, and there are no network/filesystem host calls. Any trap fails closed
(
Reject{500}). Instances are pooled with a blocking-with-timeout acquire; each request gets an isolated instance. - Host ABI — a declared subset of host functions is implemented; everything else returns
Unimplementedand is surfaced in a bootImportReport(never a silent partial).
A complete worked example (a custom denylist filter) lives in
examples/wasm-plugin/
in the repository.
The runtime is open source; a plugin marketplace / signing is an enterprise concern (
BOUNDARY.md§2.4).
Part of Light WAF
| Crate | Role |
|---|---|
waf-core |
Base types: Config, Decision, RequestContext, the WafModule contract, the StateStore seam |
waf-normalizer |
Request normalization: decode + NFKC + body/query/cookie parsing + limits |
waf-pipeline |
Phased orchestrator + cumulative anomaly scoring |
waf-detection |
Detection modules (SQLi/XSS/RCE/…) + fast-path prefilter |
| waf-wasm | Proxy-Wasm runtime (wasmi) loading .wasm filters as modules |
waf-proxy |
The waf binary: hyper/tokio reverse proxy |
See the repository for the full architecture.