Skip to content

v0.5.0

Choose a tag to compare

View all tags
@leodido leodido released this 25 May 16:41
· 17 commits to main since this release
v0.5.0
06fbf0a

Highlights

Intent mode. This release adds the first end-to-end Intent policy path for additive allowlists: "ARP OR DNS to this resolver OR HTTPS to this service" can now be expressed directly instead of trying to force OR semantics through linear --chain composition.

traffico --ifname=eth0 --at=EGRESS \
  --allow arp \
  --allow dns/10.0.0.53 \
  --allow tcp/10.0.0.10:443

Intent mode currently supports:

  • arp
  • dns/IPv4
  • tcp/IPv4:PORT
  • udp/IPv4:PORT

This resolves the policy-shape problem tracked in #50 while keeping --chain as a linear staged composition model.

Compiler core. Intent mode is backed by a new compiler pipeline:

  • typed Intent IR for user-facing permit selectors (#68)
  • Decision DAG builder and validator (#69)
  • backend-neutral enforcement extraction (#71)
  • first Linux BPF egress backend (#71)

The Decision DAG keeps permit branches correlated, so tcp/10.0.0.10:443 and udp/10.0.0.20:123 do not accidentally become a rectangular allowlist.

Safe iteration workflow. The CLI now supports --dry-run and --explain for Intent policies (#70):

traffico --ifname=eth0 --at=EGRESS \
  --allow arp \
  --allow tcp/10.0.0.10:443 \
  --dry-run --explain

--permit is available as an alias for --allow.

Runtime behavior

The first Intent backend is the Linux BPF egress adapter. It validates backend admissibility before attach, installs one policy as a default-deny allowlist, and fails closed for malformed or unenforceable packets.

Intent ingress is parsed and can be explained, but live ingress attach is intentionally rejected until an ingress backend is designed.

Testing

This release adds coverage across the new compiler and backend layers:

  • Intent IR unit tests (#68)
  • Decision DAG unit tests (#69)
  • CLI dry-run and explain tests (#70)
  • live Intent attach and cleanup tests (#71)
  • Scapy packet tests for correlated permits, no rectangular leaks, malformed packets, fragments, ARP, DNS, TCP, UDP, and permit-order independence (#71)

The Scapy helper was also hardened to wait for sniffer readiness before sending packets (#73), and block-program fail-open boundaries are now explicitly covered alongside allow-program fail-closed behavior (#74).

Documentation

The README now documents Intent mode, selector syntax, --dry-run, --explain, and the relationship between additive Intent policies and linear --chain policies (#72).

Full Changelog: v0.4.0...v0.5.0

Assets 2
Loading