Ript: making Linux firewall change management resilient

Ript: making Linux firewall change management resilient

Netfilter is an extremely powerful framework for manipulating packets, but does anyone enjoy using iptables? Tools for managing small rulesets have a steep learning curve, and most tools don't take availablity into account when managing large rulesets.

Enter Ript, a clean and opinionated Domain Specific Language for describing firewall rules, and a tool that implements database migrations-like functionality for applying these rules with zero downtime.

At Ript's core is an easy to use Ruby DSL for describing both simple and complex sets of iptables firewall rules, with helpers for all the common use cases: accepting, dropping, & rejecting packets, as well as for performing DNAT and SNAT.

Ript provides a method to group common sets of rules together called "partitions", which are used at rule application time to perform zero-downtime migrations.

In this talk Lindsay Holmwood takes you on a whirlwind tour of the DSL, explaining how Ript utilises iptables features to work its magic, and providing some concrete examples of how Ript can help increase the reliability of the services you deliver.


Lindsay Holmwood

January 30, 2013