Firewall based on LionsOS
The Firewall project is primarily a showcase for LionsOS's features, and a way to explore new features in the Microkit and its tooling.
The good networking performance available from the seL4 Device Driver Framework (sDDF) suggested that a firewall — a device that filters packets and routes traffic between two or more networks — could be a viable showcase project.
The image shows a preliminary system architecture for the LionsOS firewall, the most up-to-date version can be found on the LionsOS project page.
As is typical for all LionsOS systems, the firewall splits each functionality into independent Microkit Protection Domains. The firewall performs zero-copy packet filtering and forwarding, passing packets between components by reference using single-producer, single-consumer lock-free queues.
Network configuration, including the number of network interfaces, the Ethernet and IP address of each interface, and the initial routing table and filtering rules, can be set at build-time. Much of this configuration, including routes and rules, can be viewed and modified at run time via the firewall webserver component which listens for HTTP requests.
Since most functionality of the firewall is implemented as isolated, modular, user-level components, integrating additional functionality provides an easy way for newcomers to get into programming for LionsOS.
Full documentation on how each firewall component works is on the LionsOS website. The website also details how to build and deploy the firewall, with a particular focus on running and testing the firewall on QEMU in a Docker image.
Pull requests to add functionality or fix issues are welcome. There are possible ‘good first issue’ mini-projects in the LionsOS issue tracker on GitHub.