Nice to see someone else who wants this!
I implemented a parser for a json format for exactly this purpose using the
yojson format, the code is here:
(this was my first time using
yojson, and I am a bit scared of the dependencies that using
ppx (which @dinosaure suggested above), so I tried to keep it simple and stupid).
An example of the format it parses can be found here: https://github.com/cfcs/qubes-mirage-firewall/commit/4446556757e5cd51caddc5d3293aedd3ebe3386b#diff-e4e347f34468208cc42e811863eb5077R1
As outlined in the issue in @talex5’s Github repository linked to above, I believe the best approach for implementing user-supplied firewall rules would be to have a separate pure library (that can be used for other purposes as well, and most notably can be unit-tested and fuzzed without requiring OS-level c stubs for interfacing with hardware or external IP stacks).
Having pure library code separate from the application code (which contains impure side-effects that makes the aforementioned things harder) is a design concept I’ve come to love, but it may sound a bit foreign if you’re not used to functional programming.
I’d also like to have a general mirage-firewall that could be used in Tails, SubgraphOS (from normal operating systems not built on top of Xen, that is).
The Usenix paper linked to from here https://nqsb.io/ may do a better job of explaining the concepts than I can here, and maybe if we ask @hannes nicely he’ll have some more references worth checking out.
I started this effort here: https://github.com/cfcs/ocaml-pf (which currently only implements a parser, not the rule engine). I’ve been working a tiny bit on a rule engine, but while I have been kept up with other things the past month or so, it is in no way a dead project, and I still intend to implement that part.
My approach to parsing the new Qubes 4 rule format is to use the
angstrom parser-combinator library to parse the data, and then return it using the types defined by the
pf library (since the new rules can be translated to a subset of the pf syntax). I have a local branch for that, I’ll try to push it today or tomorrow and post a link here.
Since it sounds like we’re trying to do almost exactly the same thing, I’d be happy to describe what I’m doing more in-depth, and work together if we can find some common ground, but I am a little bit exhausted after a long day and can’t think of more to write right now.