Firewall
The Firewall
filter's job is to allow or block traffic depending on if the incoming traffic's IP and port matches
the rules set on the Firewall filter.
Filter name
quilkin.filters.firewall.v1alpha1.Firewall
Configuration Examples
#![allow(unused)] fn main() { let yaml = " version: v1alpha1 static: filters: - name: quilkin.filters.firewall.v1alpha1.Firewall config: on_read: - action: ALLOW source: 192.168.51.0/24 ports: - 10 - 1000-7000 on_write: - action: DENY source: 192.168.51.0/24 ports: - 7000 endpoints: - address: 127.0.0.1:7001 "; let config = quilkin::config::Config::from_reader(yaml.as_bytes()).unwrap(); assert_eq!(config.source.get_static_filters().unwrap().len(), 1); quilkin::Builder::from(std::sync::Arc::new(config)).validate().unwrap(); }
Configuration Options (Rust Doc)
---
$schema: "http://json-schema.org/draft-07/schema#"
title: Config
description: Represents how a Firewall filter is configured for read and write operations.
type: object
required:
- on_read
- on_write
properties:
on_read:
type: array
items:
$ref: "#/definitions/Rule"
on_write:
type: array
items:
$ref: "#/definitions/Rule"
definitions:
Action:
description: "Whether or not a matching [Rule] should Allow or Deny access"
type: string
enum:
- ALLOW
- DENY
PortRange:
description: "Range of matching ports that are configured against a [Rule]."
allOf:
- $ref: "#/definitions/Range_of_uint16"
Range_of_uint16:
type: object
required:
- end
- start
properties:
end:
type: integer
format: uint16
minimum: 0.0
start:
type: integer
format: uint16
minimum: 0.0
Rule:
description: "Combination of CIDR range, port range and action to take."
type: object
required:
- action
- ports
- source
properties:
action:
$ref: "#/definitions/Action"
ports:
type: array
items:
$ref: "#/definitions/PortRange"
source:
description: ipv4 or ipv6 CIDR address.
type: string
Rule Evaluation
The Firewall filter supports DENY and ALLOW actions for access control. When multiple DENY and ALLOW actions are used for a workload at the same time, the evaluation is processed in the order it is configured, with the first matching rule deciding if the request is allowed or denied:
- If a rule action is ALLOW, and it matches the request, then the entire request is allowed.
- If a rule action is DENY and it matches the request, then the entire request is denied.
- If none of the configured rules match, then the request is denied.
Metrics
quilkin_filter_Firewall_packets_denied_total
Total number of packets denied.quilkin_filter_Firewall_packets_allowed_total
Total number of packets allowed.
Both metrics have the label event
, with a value of read
or write
which corresponds to either on_read
or
on_write
events within the Filter.