FlexiFW - The Flexible Firewall

About

FlexiFW is an attempt to provide better flexibility to IPTables (or replace the matching core with something more flexible). The basic idea is to create a very low level matching language that can be used to implement different methods of matching ordering. In order to accept TCP port 80 you can say:

(AND
	(= (PORT_SRC) (PORT 80))
	(= (PROTOCOL "tcp") (IP_NEXT_PROTOCOL))
)
  

As you can see this is very low level, but it is also very easy to translate other firewall languages into this assembly language. In this translation stage it is possible to reorder the instructions in order to optimize the matching, so that it is possible for the firewall to group all rules about TCP in a single sub-tree as in:

(OR
	(AND
		(= (IP_NEXT_PROTOCOL) (PROTOCOL "tcp"))
		(OR {1})
	)
	{2}
)

and in the place where {1} appears we will put all the rest of the matching about the TCP connections, and in place of {2} we will put the rules where we want matching about other protocols (non-TCP).

An immediate gain in performance to be had with FlexiFW is that only fields that are asked for in a rule are checked, there is no check first if the field needs to be checked or not. This saves on memory accesses. Even the simple interpreter is likely to show better performance over standard IPTables. The advanced interpreter should be even faster since evaluation of its rules will not need to evaluate the AND and OR style operations, these will be preprocessed before loading the rules to the kernel. The compiler to native machine language should be fastest, but has a tradeoff in flexibility since to replace the ruleset you need to unload a kernel module and load another one.

So far a "compiler" for this firewall assembly language was implemented to translate it into C which can then be compiled into an iptables module, or a user-mode firewall via QUEUE target.

A simple interpreter is easy to write, just look at ipfw2 in FreeBSD, and an optimized interpreter is planned.

Download

This is currently unreleased, you can get the source to experiment with it from the subversion repository. See later section "Development".

Features

Currently, the following features are implemented:

Development

You can find the latest development in the FlexiFW Subversion repository. You can check it out anonymously as: svn co svn://svn.ev-en.org/flexifw/trunk/flexifw

Legal stuff

   FlexiFW, documentation, installations scripts and other materials provided
   are copyright  2004 Baruch Even, unless explicitly stated otherwise.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; version 2 of the License.
   
   This program is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
   General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:
   
     The Free Software Foundation, Inc.
     675 Mass Ave
     Cambridge
     MA 02139
     USA