Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Firewall

The Firewall filter’s job is to allow or block traffic depending on if the incoming traffic’s IP and port matches the rules set on the Firewall filter.

Filter name

quilkin.filters.firewall.v1alpha1.Firewall

Configuration Examples

#![allow(unused)]
fn main() {
let yaml = "
version: v1alpha1
filters:
  - name: quilkin.filters.firewall.v1alpha1.Firewall
    config:
      on_read:
        - action: ALLOW
          sources:
            - 192.168.51.0/24
          ports:
            - 10
            - 1000-7000
      on_write:
        - action: DENY
          sources:
            - 192.168.51.0/24
          ports:
            - 7000
clusters:
  - endpoints:
      - address: 127.0.0.1:7001
";
let config = quilkin::config::Config::from_reader(yaml.as_bytes()).unwrap();
assert_eq!(config.filters.load().len(), 1);
}

Configuration Options (Rust Doc)

$schema: https://json-schema.org/draft/2020-12/schema
title: Config
description: |-
  Represents how a Firewall filter is configured for read and write
  operations.
type: object
properties:
  on_read:
    type: array
    items:
      $ref: '#/$defs/Rule'
  on_write:
    type: array
    items:
      $ref: '#/$defs/Rule'
required:
- on_read
- on_write
$defs:
  Action:
    description: Whether or not a matching [Rule] should Allow or Deny access
    oneOf:
    - description: Matching rules will allow packets through.
      type: string
      const: ALLOW
    - description: Matching rules will block packets.
      type: string
      const: DENY
  Cidr:
    description: Cidr notation for an ipv6 or ipv4 netmask
    type: string
  PortRange:
    description: Range of matching ports that are configured against a [Rule].
    $ref: '#/$defs/Range_of_uint16'
  Range_of_uint16:
    type: object
    properties:
      end:
        type: integer
        format: uint16
        maximum: 65535
        minimum: 0
      start:
        type: integer
        format: uint16
        maximum: 65535
        minimum: 0
    required:
    - start
    - end
  Rule:
    description: Combination of CIDR range, port range and action to take.
    type: object
    properties:
      action:
        $ref: '#/$defs/Action'
      ports:
        type: array
        items:
          $ref: '#/$defs/PortRange'
      sources:
        description: ipv4 or ipv6 CIDR address.
        type: array
        items:
          $ref: '#/$defs/Cidr'
    required:
    - action
    - sources
    - ports

Rule Evaluation

The Firewall filter supports DENY and ALLOW actions for access control. When multiple DENY and ALLOW actions are used for a workload at the same time, the evaluation is processed in the order it is configured, with the first matching rule deciding if the request is allowed or denied:

  1. If a rule action is ALLOW, and it matches the request, then the entire request is allowed.
  2. If a rule action is DENY and it matches the request, then the entire request is denied.
  3. If none of the configured rules match, then the request is denied.