Module firewall 

Security-group + network-ACL packet filtering (issue #1745 phase 3).

Phase 2 isolates instances at L3 by giving each subnet its own daemon bridge. That stops cross-VPC traffic but does nothing within a subnet — security-group and NACL rules still block nothing. This module closes that gap by translating the SG/NACL model into an nftables ruleset and applying it on the host, scoped to fakecloud’s per-subnet bridges.

Why nftables, and why opt-in

Real packet filtering needs CAP_NET_ADMIN, which instance containers deliberately don’t have. nftables (over iptables) is chosen for its atomic ruleset swaps — a clean fit for the dynamic Authorize/Revoke churn of security groups. Because applying host firewall rules is privileged and can interfere with a user’s own networking, enforcement is opt-in via FAKECLOUD_EC2_SG_ENFORCEMENT and degrades gracefully: when nft or CAP_NET_ADMIN is missing (CI, Docker Desktop, rootless podman) the driver logs one warning and falls back to metadata-only — phase-2 isolation still holds, exactly as before (no regression).

What’s tested where

The translation from the SG/NACL model to the nft ruleset (render_ruleset) is pure and exhaustively unit-tested. The apply path shells out to nft -f -; it cannot be exercised in CI (no CAP_NET_ADMIN), so it is kept thin and the generated ruleset is the verified artifact.

Structs

FirewallRule

A single allow rule flattened out of a security group: one protocol/port range from one CIDR (referenced-group and prefix-list sources are resolved to CIDRs by the caller, or dropped when they can’t be).

InstanceFirewall

One instance’s firewall view: its address on the subnet bridge plus the ingress/egress rules flattened from every security group attached to it.

InstanceRules

One running instance’s flattened firewall view, keyed by both its id (for the k8s NetworkPolicy podSelector) and its IP (for nft). The shared intermediate the service layer produces from EC2 state; the nft model builder and the k8s NetworkPolicy builder both consume it.

NaclRule

A subnet-level NACL entry. NACLs are stateless and apply to the whole subnet; AWS evaluates them in ascending rule_number order, first match wins (so a lower-numbered allow shadows a higher-numbered deny for the same traffic).

SubnetFirewall

Everything needed to render the firewall for one subnet bridge.

Enums

EnforcementMode

How security-group enforcement is backed in this process.

Functions

group_by_subnet

Group instances by their subnet network name into the per-subnet model the renderer consumes. Pure helper so the service layer can build the model from its own state without depending on render internals.

host_shares_daemon_netns

Whether the container daemon shares this process’s network namespace, so host nftables rules actually see the inter-container traffic. True only on a native-Linux host; Docker Desktop / podman-machine on macOS/Windows run the daemon in a separate Linux VM. (Honest default; can be overridden by the caller when fakecloud and the daemon are known to share a netns.)

nft_available

True when nft list ruleset runs successfully — i.e. nft exists and this process holds enough capability to read the ruleset (a good proxy for being able to write it).

render_ruleset

Render the complete nft ruleset for a set of subnets. Deterministic (subnets and rules emitted in the order given; the caller sorts for stability) so the output can be diffed and unit-tested.

resolve_enforcement_mode

Decide the enforcement mode from the environment. Enforcement is opt-in: FAKECLOUD_EC2_SG_ENFORCEMENT must be set to 1/true/nftables, nft must be runnable, AND the daemon must run on this host’s network namespace (host_local). env, host_local, and nft_probe are injected so the decision is unit-testable without touching the environment or running nft.