Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
containerscrew committed Dec 4, 2024
1 parent 89e66bc commit 910dbf0
Show file tree
Hide file tree
Showing 3 changed files with 95 additions and 8 deletions.
8 changes: 2 additions & 6 deletions nflux.toml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ log_type = "text" # text or json. Defaults to text if not set

[ip_rules]
# Fine-tuned rules for IP-based filtering
"192.168.0.0/24" = { priority = 1, action = "deny", ports = [22], protocol = "tcp" }
"192.168.0.170/32" = { priority = 1, action = "allow", ports = [22], protocol = "tcp", log = true, description = "Block SSH for single IP" }
"192.168.0.0/24" = { priority = 1, action = "allow", ports = [22], log = false, protocol = "tcp", description = ""}
"192.168.0.172/32" = { priority = 2, action = "deny", ports = [53], protocol = "udp", log = false, description = "Block UDP port" }
# "192.168.0.170/24" = { priority = 2, action = "deny", ports = [22], protocol = "tcp", log = false, description = "Deny SSH from entire subnet" }
# "2001:0db8:85a3:0000:0000:8a2e:0370:7334" = { action = "deny", ports = [80], protocol = "tcp" }

Expand All @@ -29,7 +29,3 @@ log_denied_packets = true
log_allowed_packets = false
log_format = "json"
log_file = "/var/log/firewall.log"

[failsafe]
# Failsafe rule for unmatched traffic
action = "log"
92 changes: 92 additions & 0 deletions nflux/src/config.rs
Original file line number Diff line number Diff line change
@@ -1 +1,93 @@
use anyhow::{Context, Result};
use serde::{Deserialize, Deserializer};
use std::collections::HashMap;
use std::env;
use std::fs;

/// Enum for `action`
#[derive(Debug, Deserialize)]
#[serde(rename_all = "lowercase")] // Allow "deny" or "allow" in config
pub enum Action {
Deny,
Allow,
}

/// Enum for `protocol`
#[derive(Debug, Deserialize)]
#[serde(rename_all = "lowercase")] // Allow "tcp" or "udp" in config
pub enum Protocol {
Tcp,
Udp,
Icmp,
}

/// Generic rule for both IPv4 and IPv6
#[derive(Debug, Deserialize)]
#[allow(dead_code)]
pub struct Rules {
pub priority: u32,
pub action: Action,
pub ports: Vec<u16>,
pub protocol: Protocol,
pub log: bool,
pub description: String,
}

/// Configuration for ICMP rules
#[derive(Debug, Deserialize)]
#[allow(dead_code)]
pub struct IcmpRules {
pub action: Action, // Allow or Deny
pub protocol: String, // Always "icmp"
}

/// Configuration for MAC-based rules
#[derive(Debug, Deserialize)]
#[allow(dead_code)]
pub struct MacRule {
pub action: Action, // Allow or Deny
}

/// General firewall configuration
#[derive(Debug, Deserialize)]
#[allow(dead_code)]
pub struct Firewall {
pub interface_names: Vec<String>, // List of interfaces
pub log_level: String, // Log level
pub log_type: String, // Log type
}

/// Logging configuration
#[derive(Debug, Deserialize)]
#[allow(dead_code)]
pub struct LoggingConfig {
pub log_denied_packets: bool,
pub log_allowed_packets: bool,
pub log_format: String,
pub log_file: String,
}

/// Top-level configuration structure
#[derive(Debug, Deserialize)]
#[allow(dead_code)]
pub struct FirewallConfig {
pub firewall: Firewall,
pub ip_rules: HashMap<String, Rules>,
pub icmp_rules: HashMap<String, IcmpRules>,
pub mac_rules: HashMap<String, MacRule>,
pub logging: LoggingConfig,
}

impl FirewallConfig {
/// Load the configuration from a file, defaulting to `/etc/nflux/nflux.toml` if not specified
pub fn load() -> Result<Self> {
let config_file = env::var("NFLUX_CONFIG_FILE_PATH")
.unwrap_or_else(|_| "/etc/nflux/nflux.toml".to_string());

let config_content = fs::read_to_string(&config_file)
.with_context(|| format!("Failed to read configuration file: {}", config_file))?;

toml::from_str(&config_content)
.with_context(|| format!("Failed to parse configuration file: {}", config_file))
}
}
3 changes: 1 addition & 2 deletions nflux/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@ mod logger;
mod utils;

// Dependencies
pub use config::Action;
pub use config::{FirewallConfig, FirewallGlobalConfig, IcmpRules, Protocol};
pub use config::{FirewallConfig, IcmpRules, Protocol, Rules};
pub use core::set_mem_limit;

/// RXH version.
Expand Down

0 comments on commit 910dbf0

Please sign in to comment.