FW-Tools

.iptables configuration

This tool is aimed towards the simplification of netfilter configuration, while not taking the power of netfilter and it's various extensions from the end user. Configuration is done in java-like language, specially designed to minimize iptables script redundancy, thus not requiring to write what has been already written, using hierarchical rules, matlab-like vectors and filters applicable to any part of network protocol hierarchy. This feature is currently limited and requires changes in the compiler.

It is easy to create rather large and sophisticated netfilter setup, only thanks to iptables and their great generality, but without the requirment to write many lines of unreadable iptables script.

If you want to get feel of the final code get it [here]

.the compiler

The compiler consist of two parts. Interfacing part is used to define meaning to various classes used in firewall config. It acts as a glue between iptables and firewall code. Firewall config part is used to define firewall rules, those being processed create iptables rules. Compiler can transform it's internal representation of rules and optimize them for shortest possible rule traversal time.

It is possible to change the interfacing part, so that compiler would generate different code. In the packet space, the selection of some packets and allowing them to pass or not (firewalling) is not much different from the selection of some and making them go through the wire (packet creating). This tool allows to do both using the same language and the same features this language provides.

.the language

One writes the rules as for iptables, possibly with c or c++ comments. There are two main types of expressions, and-expressions and or-expressions (vectors). Expressions consist of words, ip addresses, numbers and strings, where words only act as a representations of classes from interfacing part. Hierarchy of expressions allows to create advanced rules with less writing, which implies maintaining them with less reading, that in turn means experimenting with them with ease.

To make this possible but keep the language simple is done through some kind of multiple-dispatch, where class is virtual with respect to all classes already defined in context of this class (c++ is virtual with respect to one parametr, the this pointer). This is currently not very well thought out.

.final words

This tool looks like a bsd packet filter program (pf) but just by an incident, it was designed in an intuitive way to do things and it claims not to be original or perfect. But it is hoped it will bring more to packet handling than pf because the compiler technology is used.