Struct Firewall

pub struct Firewall { /* private fields */ }

Object embedding a collection of firewall rules and policies to determine the action to be taken for a given network packet.

A new Firewall can be created from a textual file listing a set of rules.

Implementations

impl Firewall

pub fn new(file_path: &str) -> Result<Self, FirewallError>

Instantiates a new Firewall from a file.

Arguments

• file_path - The path of a file defining the firewall rules.

Errors

Will return a FirewallError if the rules defined in the file are not properly formatted.

Panics

Will panic if the supplied file_path does not exist or the user does not have permission to read it.

Examples

use nullnet_firewall::Firewall;

let firewall = Firewall::new("./samples/firewall.txt").unwrap();

Sample file content:

OUT REJECT --source 8.8.8.8 --sport 6700:6800,8080
OUT DENY --source 192.168.200.0-192.168.200.255 --sport 6700:6800,8080 --dport 1,2,2000
IN ACCEPT --source 2.1.1.2,2.1.1.3 --dest 2.1.1.1 --proto 1
IN REJECT --source 2.1.1.2 --dest 2.1.1.1 --proto 1 --icmp-type 8
OUT REJECT
IN ACCEPT

pub fn resolve_packet( &self, packet: &[u8], direction: FirewallDirection, ) -> FirewallAction

Returns the action to be taken for a supplied network packet, according to rules defined for the Firewall.

Arguments

• packet - Raw network packet bytes, including headers and payload.

• direction - The network packet direction (incoming or outgoing).

Panics

Will panic if the logger routine of the firewall aborts for some reason.

Examples

use nullnet_firewall::{Firewall, FirewallDirection, FirewallAction};

let firewall = Firewall::new("./samples/firewall.txt").unwrap();

// here we suppose to have a packet to match against the firewall
let packet = [/* ... */];

// determine action for packet, supposing incoming direction for packet
let action = firewall.resolve_packet(&packet, FirewallDirection::IN);

// act accordingly
match action {
    FirewallAction::ACCEPT => {/* ... */}
    FirewallAction::DENY => {/* ... */}
    FirewallAction::REJECT => {/* ... */}
}

pub fn update_rules(&mut self, file_path: &str) -> Result<(), FirewallError>

Updates the rules of a previously instantiated Firewall.

Arguments

• file_path - The path of a file defining the firewall rules.

Errors

Will return a FirewallError if the rules defined in the file are not properly formatted.

Panics

Will panic if the supplied file_path does not exist or the user does not have permission to read it.

Examples

use nullnet_firewall::Firewall;

let mut firewall = Firewall::new("./samples/firewall.txt").unwrap();

/* ... */

firewall.update_rules("./samples/firewall_for_tests_1.txt");

pub fn disable(&mut self)

Disables an existing Firewall.

This will make all the network packets be accepted regardless of the rules defined for the firewall.

Examples

use nullnet_firewall::{Firewall, FirewallAction, FirewallDirection};

let mut firewall = Firewall::new("./samples/firewall.txt").unwrap();

// here we suppose to have a packet to match against the firewall
let packet = [/* ... */];

// disable the firewall
firewall.disable();

// a disabled firewall will accept everything
assert_eq!(
    firewall.resolve_packet(&packet, FirewallDirection::IN),
    FirewallAction::ACCEPT
);

pub fn enable(&mut self)

Enables an existing Firewall.

When a new firewall is created, it’s enabled by default.

When the firewall is enabled, the actions to take for network packets are determined according to the specified rules.

Examples

use nullnet_firewall::Firewall;

// a new firewall is enabled by default
let mut firewall = Firewall::new("./samples/firewall.txt").unwrap();

// disable the firewall
firewall.disable();

/* ... */

// enable the firewall again
firewall.enable();

pub fn policy_in(&mut self, policy: FirewallAction)

Sets the input policy for an existing Firewall.

Arguments

• policy - The policy to use for incoming packets that don’t match any of the specified rules.

Examples

use nullnet_firewall::{Firewall, FirewallAction};

let mut firewall = Firewall::new("./samples/firewall.txt").unwrap();

// set the firewall input policy
firewall.policy_in(FirewallAction::DENY);

pub fn policy_out(&mut self, policy: FirewallAction)

Sets the output policy for an existing Firewall.

Arguments

• policy - The policy to use for outgoing packets that don’t match any of the specified rules.

Examples

use nullnet_firewall::{Firewall, FirewallAction};

let mut firewall = Firewall::new("./samples/firewall.txt").unwrap();

// set the firewall output policy
firewall.policy_out(FirewallAction::ACCEPT);

pub fn data_link(&mut self, data_link: DataLink)

Sets the DataLink type for an existing Firewall.

As default, a firewall will try to parse packets considering them Ethernet frames; if different kinds of packets want to be inspected, it’s necessary to set the corresponding data link type via this method.

Arguments

• data_link - The data link type that’ll be used to parse packets.

Examples

use nullnet_firewall::{DataLink, Firewall};

let mut firewall = Firewall::new("./samples/firewall.txt").unwrap();

// let the firewall know that submitted packets start with an IP header
firewall.data_link(DataLink::RawIP);

pub fn log(&mut self, log: bool)

Enables or disables logging.

If enabled (default) packets will be printed in stdout and will be logged into a DB.

Arguments

• log - Whether the log activity should be enabled or not.

Examples

use nullnet_firewall::{Firewall};

let mut firewall = Firewall::new("./samples/firewall.txt").unwrap();

// disable logging
firewall.log(false);

Trait Implementations

impl Debug for Firewall

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.