matchstick

a lua-based nftables firewall configuration tool. compiles declarative firewall configs into native nftables rulesets with automatic sysctl management, input validation, and shadow rule detection.

matchstick replaces tools like ufw, shorewall, and firewalld with a single lua file that is version-controllable, reviewable, and produces identical output every time.

local ssh  = fw:service("ssh", "tcp", 22)
local http = fw:service("http", "tcp", 80)
local ping = fw:service("ping", "icmp", "echo-request")

local self = fw:zone("fw")
local wan  = fw:zone("wan", "eth0")
local lan  = fw:zone("lan", "eth1")

fw:policy(wan, self, "drop", { log = true })
fw:policy(self, wan, "accept")
fw:policy(lan, self, "accept")
fw:policy(lan, wan, "accept")

fw:rule(wan, self, "accept", ssh)
fw:rule(wan, self, "accept", http)
fw:rule(wan, self, "accept", ping)

fw:snat({ from = "10.0.0.0/8", oif = "eth0", masquerade = true })

documentation

---

install

git clone https://github.com/elee1766/matchstick
cd matchstick
make install

usage

# msctl manages the firewall on a running system
msctl enable                        # compile + apply to kernel
msctl disable                       # remove all rules
msctl status                        # show running rules
msctl diff                          # diff running vs config
msctl show                          # zone policy matrix
msctl show rules lan fw             # rules for a zone pair

# matchstick is the compiler (no root, no nft needed)
matchstick check firewall.lua       # validate
matchstick render firewall.lua      # print nftables output
matchstick render --json firewall.lua
matchstick show matrix firewall.lua

migrating from ufw

sudo ufw show added | matchstick import-ufw > /etc/matchstick/firewall.lua
msctl check
# edit config to adjust zone/host names
msctl enable