Skip to content

Commit 7e51157

Browse files
tbitcsoz-agent
tbitcs
and
oz-agent
committed
fix(samples/firewall_policy): inline net.* facts — imports not supported
The firewall model used 'imports: ARB://network_common' to pull in net.is_established, net.dst_port, net.protocol, net.packet_len, and net.rate_pps, but arbiterc doesn't support external imports. Inlined the five net.* facts directly into the model's facts section and removed the imports declaration, then regenerated arbiter_model.{c,h}. Co-Authored-By: Oz <oz-agent@warp.dev>
1 parent c9e37ce commit 7e51157

3 files changed

Lines changed: 156 additions & 4 deletions

File tree

samples/firewall_policy/models/firewall.arb.yaml

Lines changed: 31 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,6 @@
11
arb_version: 0.1
22
model: embedded_firewall
33

4-
imports:
5-
- ARB://network_common
6-
74
target:
85
rtos: zephyr
96
profile: static_c
@@ -13,7 +10,37 @@ system:
1310
safety_context: network_security
1411

1512
facts:
16-
# Inherits net.* from ARB://network_common, plus:
13+
# Network packet facts (formerly imported from ARB://network_common):
14+
- id: net.is_established
15+
type: bool
16+
source: packet_parser
17+
description: "TCP connection is in ESTABLISHED state"
18+
19+
- id: net.dst_port
20+
type: uint32
21+
range: [0, 65535]
22+
source: packet_parser
23+
description: "Destination port"
24+
25+
- id: net.protocol
26+
type: uint32
27+
range: [0, 255]
28+
source: packet_parser
29+
description: "IP protocol number (1=TCP, 2=UDP, 3=ICMP)"
30+
31+
- id: net.packet_len
32+
type: uint32
33+
range: [0, 65535]
34+
source: packet_parser
35+
description: "Packet length in bytes"
36+
37+
- id: net.rate_pps
38+
type: uint32
39+
range: [0, 100000]
40+
source: rate_counter
41+
description: "Packet arrival rate (packets per second)"
42+
43+
# Firewall-specific facts:
1744
- id: fw.action
1845
type: enum
1946
source: computed

samples/firewall_policy/src/arbiter_model.c

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
/* SPDX-License-Identifier: MIT */
2+
/* AUTO-GENERATED by arbiterc — do not edit */
3+
4+
#include "arbiter_model.h"
5+
#include <arbiter/arbiter.h>
6+
7+
static const struct ARBITER_fact_def model_facts[] = {
8+
{ .id = 0, .type = ARBITER_FACT_ENUM, .range_min = 0, .range_max = 0, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "fw.action" },
9+
{ .id = 1, .type = ARBITER_FACT_UINT32, .range_min = 0, .range_max = 10000, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "fw.icmp_rate" },
10+
{ .id = 2, .type = ARBITER_FACT_BOOL, .range_min = 0, .range_max = 0, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "fw.is_dns" },
11+
{ .id = 3, .type = ARBITER_FACT_BOOL, .range_min = 0, .range_max = 0, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "fw.is_syn" },
12+
{ .id = 4, .type = ARBITER_FACT_BOOL, .range_min = 0, .range_max = 0, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "fw.payload_anomaly" },
13+
{ .id = 5, .type = ARBITER_FACT_BOOL, .range_min = 0, .range_max = 0, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "fw.src_on_allowlist" },
14+
{ .id = 6, .type = ARBITER_FACT_BOOL, .range_min = 0, .range_max = 0, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "fw.src_on_blocklist" },
15+
{ .id = 7, .type = ARBITER_FACT_UINT32, .range_min = 0, .range_max = 1000, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "fw.syn_flood_score" },
16+
{ .id = 8, .type = ARBITER_FACT_UINT32, .range_min = 0, .range_max = 65535, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "net.dst_port" },
17+
{ .id = 9, .type = ARBITER_FACT_BOOL, .range_min = 0, .range_max = 0, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "net.is_established" },
18+
{ .id = 10, .type = ARBITER_FACT_UINT32, .range_min = 0, .range_max = 65535, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "net.packet_len" },
19+
{ .id = 11, .type = ARBITER_FACT_UINT32, .range_min = 0, .range_max = 255, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "net.protocol" },
20+
{ .id = 12, .type = ARBITER_FACT_UINT32, .range_min = 0, .range_max = 100000, .default_value = 0, .stale_after_ms = 0, .safety_relevant = false, .name = "net.rate_pps" },
21+
};
22+
23+
static const struct ARBITER_condition_def model_conditions[] = {
24+
{ .fact_id = 6, .op = ARBITER_OP_EQ, .value = 1, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
25+
{ .fact_id = 5, .op = ARBITER_OP_EQ, .value = 1, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
26+
{ .fact_id = 9, .op = ARBITER_OP_EQ, .value = 1, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
27+
{ .fact_id = 4, .op = ARBITER_OP_EQ, .value = 0, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
28+
{ .fact_id = 3, .op = ARBITER_OP_EQ, .value = 1, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
29+
{ .fact_id = 7, .op = ARBITER_OP_GT, .value = 500, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
30+
{ .fact_id = 8, .op = ARBITER_OP_EQ, .value = 5683, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
31+
{ .fact_id = 11, .op = ARBITER_OP_EQ, .value = 2, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
32+
{ .fact_id = 8, .op = ARBITER_OP_EQ, .value = 8883, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
33+
{ .fact_id = 11, .op = ARBITER_OP_EQ, .value = 1, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
34+
{ .fact_id = 2, .op = ARBITER_OP_EQ, .value = 1, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
35+
{ .fact_id = 10, .op = ARBITER_OP_LE, .value = 512, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
36+
{ .fact_id = 11, .op = ARBITER_OP_EQ, .value = 3, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
37+
{ .fact_id = 1, .op = ARBITER_OP_GT, .value = 10, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
38+
{ .fact_id = 4, .op = ARBITER_OP_EQ, .value = 1, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
39+
{ .fact_id = 0, .op = ARBITER_OP_EQ, .value = 0, .group = ARBITER_COND_ALL, .group_index = 0, .next = UINT16_MAX },
40+
};
41+
42+
static const struct ARBITER_action_def model_actions[] = {
43+
{ .id = 0, .type = ARBITER_ACTION_CALLBACK, .target_fact_id = 0, .target_value = 0, .callback = NULL, .must_complete_within_ms = 0, .safe_state_action = false, .name = "fw_drop" },
44+
{ .id = 1, .type = ARBITER_ACTION_CALLBACK, .target_fact_id = 0, .target_value = 0, .callback = NULL, .must_complete_within_ms = 0, .safe_state_action = false, .name = "fw_enable_syn_cookies" },
45+
{ .id = 2, .type = ARBITER_ACTION_CALLBACK, .target_fact_id = 0, .target_value = 0, .callback = NULL, .must_complete_within_ms = 0, .safe_state_action = false, .name = "fw_log_anomaly" },
46+
};
47+
48+
static const struct ARBITER_rule_def model_rules[] = {
49+
{ .id = 0, .rule_class = ARBITER_RULE_SAFETY_GUARD, .condition_start = 0, .condition_count = 1, .action_start = 0, .action_count = 1, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = true, .name = "01_fw.blocklist", .explanation = "Source on blocklist — drop and log." },
50+
{ .id = 1, .rule_class = ARBITER_RULE_INFERENCE, .condition_start = 1, .condition_count = 1, .action_start = 0, .action_count = 0, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "02_fw.allowlist", .explanation = "Source on allowlist — accept." },
51+
{ .id = 2, .rule_class = ARBITER_RULE_INFERENCE, .condition_start = 2, .condition_count = 2, .action_start = 0, .action_count = 0, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "10_fw.established", .explanation = "Established connection, no anomaly — accept." },
52+
{ .id = 3, .rule_class = ARBITER_RULE_INFERENCE, .condition_start = 4, .condition_count = 1, .action_start = 0, .action_count = 0, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "20_fw.syn_flood_score", .explanation = "Compute SYN flood risk from packet rate." },
53+
{ .id = 4, .rule_class = ARBITER_RULE_SAFETY_GUARD, .condition_start = 5, .condition_count = 1, .action_start = 1, .action_count = 1, .safety_goal_id = UINT16_MAX, .set_mode = 3, .safety_critical = true, .name = "21_fw.syn_flood_active", .explanation = "SYN flood detected (score > 500) — enable SYN cookies, drop." },
54+
{ .id = 5, .rule_class = ARBITER_RULE_INFERENCE, .condition_start = 6, .condition_count = 2, .action_start = 0, .action_count = 0, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "30_fw.allow_coap", .explanation = "CoAP (UDP/5683) — accept and log." },
55+
{ .id = 6, .rule_class = ARBITER_RULE_INFERENCE, .condition_start = 8, .condition_count = 2, .action_start = 0, .action_count = 0, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "31_fw.allow_mqtt", .explanation = "MQTT-TLS (TCP/8883) — accept." },
56+
{ .id = 7, .rule_class = ARBITER_RULE_INFERENCE, .condition_start = 10, .condition_count = 2, .action_start = 0, .action_count = 0, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "32_fw.allow_dns", .explanation = "DNS query (<=512 bytes) — accept." },
57+
{ .id = 8, .rule_class = ARBITER_RULE_CONSTRAINT, .condition_start = 12, .condition_count = 2, .action_start = 0, .action_count = 0, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "33_fw.icmp_flood", .explanation = "ICMP rate > 10 pps — drop (ping flood)." },
58+
{ .id = 9, .rule_class = ARBITER_RULE_SAFETY_GUARD, .condition_start = 14, .condition_count = 1, .action_start = 2, .action_count = 1, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "40_fw.dpi_anomaly", .explanation = "Payload anomaly — drop and log for analysis." },
59+
{ .id = 10, .rule_class = ARBITER_RULE_CONSTRAINT, .condition_start = 15, .condition_count = 1, .action_start = 0, .action_count = 0, .safety_goal_id = UINT16_MAX, .set_mode = UINT16_MAX, .safety_critical = false, .name = "99_fw.default_deny", .explanation = "Default deny — no rule matched." },
60+
};
61+
62+
static const char *model_mode_names[] = {
63+
"mode.lockdown",
64+
"mode.normal",
65+
"mode.rate_limited",
66+
"mode.under_attack",
67+
};
68+
69+
const struct ARBITER_model ARBITER_generated_model = {
70+
.name = "embedded_firewall",
71+
.model_hash = { 0x99, 0x78, 0x23, 0x9a, 0xcd, 0xbe, 0xc9, 0xad, 0x1c, 0xb1, 0x38, 0xb5, 0xc9, 0xeb, 0xe0, 0x27, 0xc8, 0x0a, 0x74, 0xe3, 0x25, 0x8d, 0x7b, 0xea, 0xcc, 0xe1, 0x06, 0x40, 0x93, 0x37, 0x5a, 0xba },
72+
.schema_hash = { 0x0d, 0x55, 0x33, 0x65, 0xf3, 0x4e, 0x02, 0xf3, 0xf8, 0x94, 0xe8, 0x25, 0xbb, 0x47, 0x86, 0x45, 0xfd, 0x8b, 0x78, 0xb1, 0x27, 0xf5, 0x8c, 0x42, 0xba, 0xbd, 0x80, 0x1f, 0x77, 0x57, 0x1f, 0x35 },
73+
.fact_count = 13,
74+
.rule_count = 11,
75+
.condition_count = 16,
76+
.action_count = 3,
77+
.mode_count = 4,
78+
.facts = model_facts,
79+
.rules = model_rules,
80+
.conditions = model_conditions,
81+
.actions = model_actions,
82+
.mode_names = model_mode_names,
83+
};

samples/firewall_policy/src/arbiter_model.h

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
/* SPDX-License-Identifier: MIT */
2+
/* AUTO-GENERATED by arbiterc — do not edit */
3+
4+
#pragma once
5+
6+
#include <stdint.h>
7+
#include <stddef.h>
8+
#include <arbiter/arbiter_model.h>
9+
10+
#define ARBITER_MODEL_NAME "embedded_firewall"
11+
#define ARBITER_MODEL_HASH "9978239acdbec9ad1cb138b5c9ebe027c80a74e3258d7beacce1064093375aba"
12+
#define ARBITER_MODEL_FACT_COUNT 13u
13+
#define ARBITER_MODEL_RULE_COUNT 11u
14+
#define ARBITER_MODEL_CONDITION_COUNT 16u
15+
#define ARBITER_MODEL_ACTION_COUNT 3u
16+
#define ARBITER_MODEL_MAX_FACTS 13u
17+
#define ARBITER_MODEL_MAX_RULES 11u
18+
#define ARBITER_MODEL_MAX_CONDITIONS 16u
19+
#define ARBITER_MODEL_MAX_ACTIONS 3u
20+
#define ARBITER_MODEL_WCET_OP_COUNT 27u
21+
#define ARBITER_MODEL_TRACE_CAPACITY 11u
22+
23+
extern const struct ARBITER_model ARBITER_generated_model;
24+
25+
#define ARBITER_FACT_FW_ACTION 0u
26+
#define ARBITER_FACT_FW_ICMP_RATE 1u
27+
#define ARBITER_FACT_FW_IS_DNS 2u
28+
#define ARBITER_FACT_FW_IS_SYN 3u
29+
#define ARBITER_FACT_FW_PAYLOAD_ANOMALY 4u
30+
#define ARBITER_FACT_FW_SRC_ON_ALLOWLIST 5u
31+
#define ARBITER_FACT_FW_SRC_ON_BLOCKLIST 6u
32+
#define ARBITER_FACT_FW_SYN_FLOOD_SCORE 7u
33+
#define ARBITER_FACT_NET_DST_PORT 8u
34+
#define ARBITER_FACT_NET_IS_ESTABLISHED 9u
35+
#define ARBITER_FACT_NET_PACKET_LEN 10u
36+
#define ARBITER_FACT_NET_PROTOCOL 11u
37+
#define ARBITER_FACT_NET_RATE_PPS 12u
38+
39+
#define ARBITER_MODE_MODE_LOCKDOWN 0u
40+
#define ARBITER_MODE_MODE_NORMAL 1u
41+
#define ARBITER_MODE_MODE_RATE_LIMITED 2u
42+
#define ARBITER_MODE_MODE_UNDER_ATTACK 3u

0 commit comments

Comments
 (0)