meds

module
v0.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 15, 2025 License: MIT

README ΒΆ

Go Version License Platform Status Version

Meds: net healing

Meds is a high-performance firewall system written in Go.
It integrates with Linux Netfilter via NFQUEUE, inspects inbound traffic in user space, and applies filtering to block malicious or unwanted traffic in real time.

Meds β€” "net healing" firewall designed to cure your network from malicious traffic.

πŸš€ Usage

Requirements:

  • Go version 1.24 or above.
  • Linux with iptables + NFQUEUE support

Since Meds interacts directly with iptables and NFQUEUE, you must run it with root privileges (sudo).
The application manages iptables rules automatically.

Run the firewall
go build -o meds cmd/daemon/main.go
sudo MEDS_USERNAME=admin MEDS_PASSWORD=mypass ./meds

API available at http://localhost:8000 (Basic Auth: admin / mypass)

Command-line options
./meds -help
Usage of ./meds:
  -api-addr string
        api server address (default ":8000")
  -db-path string
        path to database file (default "meds.db")
  -log-level string
        zerolog level (default "info")
  -loggers-count uint
        logger workers count (default 12)
  -max-packets-at-once uint
        max packets per ip at once (default 2000)
  -max-packets-cache-size uint
        max packets per ip cache size (default 10000)
  -max-packets-cache-ttl duration
        max packets per ip cache ttl (default 3m0s)
  -max-packets-per-second uint
        max packets per ip per second (default 100)
  -update-interval duration
        update frequency (default 12h0m0s)
  -update-timeout duration
        update timeout (per filter) (default 10s)
  -workers-count uint
        nfqueue workers count (default 12)
Prometheus metrics

By default, metrics are exposed at:

curl --user admin:mypass http://localhost:8000/v1/metrics

The metrics endpoint is protected by the same BasicAuth credentials as the API.

Example API usage
# Check IP is in whitelist
curl -u admin:mypass -X GET http://localhost:8000/v1/whitelist/subnets/200.168.0.1

# Add subnet to whitelist
curl -u admin:mypass -X POST http://localhost:8000/v1/whitelist/subnets \
  -d '{"subnets": ["200.168.0.0/16"]}'

# Get all whitelist subnets
curl -u admin:mypass -X GET http://localhost:8000/v1/whitelist/subnets

# Remove subnet from whitelist
curl -u admin:mypass -X DELETE http://localhost:8000/v1/whitelist/subnets \
  -d '{"subnets": ["200.168.0.0/16"]}'

✨ Key Features

  • NFQUEUE-based packet interception
    Uses Linux Netfilter queues to copy inbound packets into user space with minimal overhead.

  • Fast packet parsing with gopacket
    Parses traffic efficiently (lazy and no copy modes enabled).

  • Lock-free core
    Meds itself does not use any mutexes β€” all filtering, counters, and rate-limiters use atomic operations.
    Dependencies like otter/v2 may internally use fine-grained locks, but they do not affect the lock-free processing pipeline.

  • Blacklist-based filtering

  • Rate Limiting per IP
    Uses token bucket algorithm to limit burst and sustained traffic per source IP.
    Protects against high-frequency floods (SYN, DNS, ICMP, or generic packet floods).

  • HTTP API for runtime configuration
    Built-in API server (powered by Gin) allows dynamically adding or removing IP or DNS entries in global whitelists/blacklists.
    Auth via BasicAuth using MEDS_USERNAME / MEDS_PASSWORD.

  • Prometheus metrics export
    Exposes metrics for observability:

    • Total packets processed
    • Dropped packets (with reasons)
    • Accepted packets (with reasons)

    Metrics are available at /v1/metrics via the built-in API server, compatible with Prometheus scrape targets.

  • Asynchronous logging
    Uses zerolog with worker-based async logging for minimal overhead.

  • Efficient lookups
    Uses radix tree and bart for IP/domain matching at scale.

  • Extensible design
    Modular architecture allows adding new filters (GeoIP, ASN, SNI/TLS filtering).

πŸ” How It Works

[Kernel] β†’ [NFQUEUE] β†’ [Meds]
                     ↳ Whitelist
                     ↳ Rate Limiter
                     ↳ Blacklist
                     ↳ Decision: ACCEPT / DROP

  1. Packet interception
    All inbound packets are queued from Netfilter (iptables rule with -j NFQUEUE).

  2. Classification pipeline
    Packets go through multiple filters:

    • Global IP/DNS whitelist check
    • Rate Limiting per source IP
    • IP/DNS blacklist check (global and per-filter)

  3. Decision engine

    • ACCEPT β†’ packet is safe, passed to kernel stack
    • DROP β†’ packet is malicious, discarded immediately

  4. Metrics & logging
    Every decision is counted and exported via Prometheus for monitoring and alerting.
    All events are asynchronously logged to minimize packet processing latency.

πŸ“Š Example Metrics (Prometheus)

# Total number of accepted packets
meds_core_packets_accepted_total{filter="empty",reason="default"} 2165
meds_core_packets_accepted_total{filter="ip",reason="whitelisted"} 102

# Total number of dropped packets
meds_core_packets_dropped_total{filter="dns",reason="StevenBlack"} 3
meds_core_packets_dropped_total{filter="ip",reason="FireHOL"} 167

# Total number of processed packets
meds_core_packets_processed_total 2437

πŸ“œ License

Meds is released under the MIT License.
See LICENSE for details.

Directories ΒΆ

Path Synopsis
cmd
daemon command
lib
util
util/get
src
api
config
core
core/filter
core/filter/dns
core/filter/ip
core/filter/rate
core/logger
core/logger/event
core/metrics
database
server
types

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.