Package Details: husk 0.9.13-1

Git Clone URL: (read-only)
Package Base: husk
Description: An iptables front-end to allow rules to be expressed in a more flexible, free-form style using language.
Upstream URL:
Licenses: GPL
Conflicts: husk-git
Submitter: fukawi2
Maintainer: fukawi2
Last Packager: fukawi2
Votes: 4
Popularity: 0.000000
First Submitted: 2010-11-01 07:47
Last Updated: 2015-06-08 23:54

Latest Comments

fukawi2 commented on 2014-09-16 08:17

Bump to 0.9.13

fukawi2 commented on 2013-08-01 23:09

Done, thx.

asdil12 commented on 2013-08-01 18:52

please add iptables to dependencies - build fails without

fukawi2 commented on 2013-06-03 22:57

Done in -3

valr commented on 2013-06-03 19:45

Following the latest news and move of /bin, /sbin, /usr/sbin to /usr/bin, could you adapt the PKGBUILD to something like this:

package() {
cd "$srcdir/$pkgname-$pkgver"
sed -e 's|/usr/local/|/usr/|g' -i Makefile
sed -e 's|/usr/sbin|/usr/bin|g' -i Makefile
make DESTDIR=$pkgdir install


fukawi2 commented on 2013-02-25 10:27

Bump to 0.9.11
Note the output format has changed from a bash script to an iptables-restore script. Bash output is still available:,cntnt01,detail,0&cntnt01articleid=5&cntnt01pagelimit=16&cntnt01returnid=29

fukawi2 commented on 2012-12-09 23:37

Bump to 0.9.10
Lots of changes; check the CHANGES file for a complete list:

fukawi2 commented on 2012-02-26 10:35

Bump to 0.9.9:
cleanup of ipv6 bogon list
cleanup and repairs to compile_nat for "map" functionality
destination addres not optional in "map" rule
large cleanup, rewrite and repair of "compile_nat" sub
cleanup of code for "common nat" rules; support for specifying source address to snat
removed generation of "map" inversion; not required
fire: added helper to make suggestions against ruleset

mrbit commented on 2012-02-05 11:49

and installed cloog-0.17.0-1

gcc -Os -Wall -g -DVERSION=\"1.25\" -D__COMPILER__="\"gcc (GCC) 4.6.2 20120120 (prerelease)\"" dd_rescue.c -o dd_rescue
/usr/lib/gcc/x86_64-unknown-linux-gnu/4.6.2/cc1: error while loading shared libraries: cannot open shared object file: No such file or directory
make: *** [dd_rescue] Errore 1

fukawi2 commented on 2012-02-05 10:16

Bump to 0.9.8:
update "fallback" function of Makefile
added man page for husk.conf
added "clean" target to Makefile
updated Makefile "uninstall" target
cleanup README; remove duplicate documentation
fire: user feedback on rule count after load
added code support for documented "rules_file" config option
added "wlan" to list of valid interface prefixes
fire: fix errors when generating user feedback on systems without ipv6
fire: log to syslog if compilation fails
fire; fix for logging iptables errors

fukawi2 commented on 2012-01-28 01:58

Bump to 0.9.7
Fixed some IPv6 issues mostly.

fukawi2 commented on 2011-12-28 07:20

Decent (usable) IPv6 support in this version.

* ==> Version 0.9.5
fixed bug when checking for unknown config file options
rework of ipv6 support.
updated man docs for ipv6 changes
general mass cleanup of code
fix small typos
remove src/
fix bug when ipv6 is disabled
updates for ipv6 mods

fukawi2 commented on 2011-12-21 11:42

* ==> Version 0.9.4
add support for --log-prefix when using LOG target
added some documentation to man page about TARGETS under RULE SYNTAX
fix regex that matches quoted strings
make header printing its own sub for reuse purposes
fe80::/10 isnt site-local, it is link-local; not a bogon
replace ipv6 anti-spoof dhcp bypass with generic link-local fe80::/10 bypass
fix whitespace indenting
cleanup reading of interfaces.conf
fix bug in &basename function
use "conntrack" module for state rules rather than "state" module
remove redundant comment header
allow revert to using 'state' module instead of 'conntrack' / 'ctstate'
check for unknown configuration in husk.conf
dont barf if the config file is empty or all comments; use defaults

fukawi2 commented on 2011-11-13 10:36

Bump to 0.9.3
added tcp 6052 to avg helper
fix whitespace in avg helper
trim $src in spoof to prevent excess whitespace in output
remove references to iptables-restore; not used anymore
added ignore_autoconf option to prevent logging of traffic from rfc3927 autoconfiged hosts
added "configuration" section to husk manpage
fixed typos in pod syntax
expanded man page to include full list of references within SEE ALSO section
fix regex for finding bad syntax
more accurate error message when invalid syntax is found
Create a LOG rule for anything that slips to the end of chains.
fix perl syntax for calling subrouting log_and_drop
fix perl syntax for calling subroutine log_and_drop
Merge branch 'master' of
fixed default husk.conf file
removal of magic constants to set config file defaults when reading conf file
perl syntax errors in the last commit.

fukawi2 commented on 2011-09-16 09:41

Bump to 0.9.2
Lots of minor changes and fixes.
Expanded and more accurate helpers.
fire script now saves rules using init script if it can be found.

fukawi2 commented on 2011-06-13 12:53

Bump to 0.9.0
Initial IPv6 support in this :)

fukawi2 commented on 2011-04-14 13:42

* ==> Version 0.8.4
Merge branch 'master' of
always print license and disclaimer at top of output
add system init script save command to end of fire script
cleanup of fire script
fixed typo in sql helper
removed ICMP target from standalone example rules (replaced by helper file)
added support for custom named xen bridges (eg, xenNET)
added pptp helper to Makefile
added helper ruleset for pptp
use "x" instead of "crs" for cross-zone chain prefix

fukawi2 commented on 2011-02-17 08:26

==> Version 0.8.0
fixed handling of ports in "map" rules
support for using source port and destination port in the same rule; support for multiport interception
small fix to my home-made coalesce function
code correctness for returning from procedure subs
added better code correctness for usage of next and last functions
wrong backref on source|dest ports
fixed broken file includes
updated logging options for log and drop
updated logging comment for portscan rules
added licensing details for portscan rules
fix incorrect logic on comparing --no-confirm flag in fire script
only jump antispoof chain for traffic on interfaced we're protecting
fixed the way we append the line number comment to raw iptables rules
added portscan to example rules
added portscan functionality to README
adjust logging options to prevent dos issues
added a "common" function for portscan protection
added a --no-confirm option to fire script
updated example rules to use current chain substitution in raw iptables
allow current chain substitution in raw iptables

fukawi2 commented on 2010-12-31 04:29

==> Version 0.7.2
changed the criteria for autogenerated crs chains
only check defined interfaces for bridged status
fixed bridge handling
dont use physdev for ME zone
more intelligent bridge detection
fixed simple example rules
added "vif" interface regex
added a TODO note
added support for bridged interfaces using physdev module
updated regex for interface name matching validation

fukawi2 commented on 2010-12-22 12:02

Version 0.7.0.
Rewrite and Refactor to avoid copyright issues.

fukawi2 commented on 2010-12-02 08:50

==> Version 0.6.5
adjusted comment on dhcp discover spoof bypass
fixed iptables syntax errors
fixed syntax errors
bypass spoof protection for dhcp discover packets
removed as a bogon since it can be legitimate source
incorrect back reference used in multiport regex
added new-no-syn protection to simple example rules using syntax "standard syn"
swap a long if-elsif-elsif-etc block for a switch block
extra commenting
renamed sub "strip_extra_spaces" to "collapse_spaces"
new method of handling empty and comment-only lines
added "standard" new-no-syn protection
added a coalesce function to tidy up some ternary operations

fukawi2 commented on 2010-12-01 08:23

==> Version 0.6.4
updated simple example rules to include drop handler
modified some regex
updated README to explain handlers
added support for drop and reject handlers
stop time module being included in all rules
general code cleanup; pass arguments to subs using hashes

fukawi2 commented on 2010-11-29 08:36

==> Version 0.6.3
fixed regex patterns for "port" and "ports" keywords
added support for "day" keyword; fixed syntax of output rules when using modules with multiple options
fixed syntax for statistics module
fixed syntax error
added support for statistics module with keywords "every" and "offset"
added error checking for script output
added support for time-based "start" and "finish" keywords
added icons
fixed interface name matching in standard rule compilation
added logging for standard protections

fukawi2 commented on 2010-11-28 12:30

==> Version 0.6.2
added simple example file to Makefile
added simple example file
refactor of the way bogons are generated to include comments
expanded bogon configuration
expanded error handling of unknown keywords
added CHANGES file

fukawi2 commented on 2010-11-27 00:01

==> Version 0.6.1
make some regexes a bit more liberal
fixed syntax error and scope declaration issues

fukawi2 commented on 2010-11-25 12:16

==> Version 0.6.0
replace string comparisions with regex comparisons
rename variable to make its purpose clearer
reworded error message when "end match calls" is found in wrong place
add a line number comment to "iptables" rules
refactor how call chains are dispatched
refactor some routines use make greater use of hashes
renamed function compile_redirect to compile_interception
added support for source or destination ports instead of only destination ports
fixed more regexes
updated some regex patterns to be more accurate
fixed bug setting default policies
extra error handling for ending blocks
fixed comment on bogon rule
updated README to document the "ANY" interface
fixed parsing of hostgroups
dont remove config during uninstall
added example rule for "ANY" special interface
added support for special interface "ANY"
added a debugging function
fixed hostgroup usage
added missing RFC1918 address to bogons
test for root in fire script
added bogons to hostgroups.conf
sanity check for duplicates in interfaces file
only generate protection chains if the rules file actually uses them
fixed fire script to exit if compilation fails

fukawi2 commented on 2010-11-21 03:56

Bump to 0.5.2:

==> Version 0.5.2
updated 'fire' script

we're now much more 'safer' with an automatic reversion to the previous
ruleset if the application is not confirmed by the user. based on the
script written by Martin F. Krafft <> and distributed
under the Artistic Licence 2.0
Much more sanity checking and error handling too.
call bogon and xmas protection early (-I instead of -A)
fixed error in bogon and xmas protection generation
fixed error in bogon and xmas protection generation
converted constants to use uppercase names
added support for "xmas" standard function
updated README file
added support for "bogon" standard function

fukawi2 commented on 2010-11-20 09:19

Bump to 0.5.1
Fixed some "show-stopper" bugs in 0.5.0 with 'forward' rules.

fukawi2 commented on 2010-11-20 06:00

Bump to 0.5.0

==> Version 0.5.0
updated example rules to suit new 'match chain' syntax

out of habit from the system husk is based on, I wrote 'match table'
when it should have been 'match chain' so the syntax has been
updated to suit the correct semantics.
fixed default config file
major cleanup and refactor

fukawi2 commented on 2010-11-11 09:34

Bump to 0.4.2:

only snat for rfc1918 private addresses
refactored rules generation in compile_call
updated Makefile to avoid clobbering existing config
fixed typo in generation of loopback rules
updated install paths in Makefile