This article summarizes our efforts around the formally verified static analysis of iptables rulesets using Isabelle/HOL. We build our work around a formal semantics of the behavior of iptables firewalls. This semantics is tailored to the specifics of the filter table and supports arbitrary match expressions, even new ones that may be added in the future. Around that, we organize a set of simplification procedures and their correctness proofs: we include procedures that can unfold calls to user-defined chains, simplify match expressions, and construct approximations removing unknown or unwanted match expressions. For analysis purposes, we describe a simplified model of firewalls that only supports a single list of rules with limited expressiveness. We provide and verify procedures that translate from the complex iptables language into this simple model. Based on that, we implement the verified generation of IP space partitions and minimal service matrices. An evaluation of our work on a large set of real-world firewall rulesets shows that our framework provides interesting results in many situations, and can both help and out-compete other static analysis frameworks found in related work.

中文翻译：

---

已验证 iptables 防火墙分析与验证

本文总结了我们围绕使用 Isabelle/HOL 对 iptables 规则集进行正式验证的静态分析所做的努力。我们围绕 iptables 防火墙行为的正式语义构建我们的工作。这种语义是根据过滤器表的具体情况量身定制的，并支持任意匹配表达式，甚至是将来可能添加的新表达式。围绕这一点，我们组织了一组简化过程及其正确性证明：我们包括可以展开对用户定义链的调用、简化匹配表达式以及构造近似以去除未知或不需要的匹配表达式的过程。出于分析目的，我们描述了一个简化的防火墙模型，该模型仅支持表达能力有限的单个规则列表。我们提供并验证从复杂的 iptables 语言转换为这个简单模型的程序。在此基础上，我们实现了经过验证的 IP 空间分区和最小服务矩阵的生成。对我们在大量真实防火墙规则集上的工作的评估表明，我们的框架在许多情况下都提供了有趣的结果，并且可以帮助并超越相关工作中发现的其他静态分析框架。