Network Policy
Active rules that govern how Qwall responds to each connection classification.
Active Rules
block
classical
Classical TLS (RSA/ECDH) is quantum-vulnerable. Blocked by Qwall policy.
allow
pqc
Post-quantum key exchange detected (ML-KEM-768 or hybrid). Connection allowed.
warn
unknown
Could not determine cryptographic posture. Flagged for review.
How Policy Works
Qwall evaluates every inspected connection against these rules in order. The first matching rule wins.
Rules are stored in policy.json and hot-reloadable via POST /policy.
| Action | Effect |
|---|---|
| allow | Connection is permitted. Logged to Qledger if configured. |
| block | Connection is rejected. Traffic does not reach the backend. |
| warn | Connection is allowed but flagged. Alert fires to configured channels. |
Update Policy via API
curl -X POST http://localhost:5051/policy \
-H "Content-Type: application/json" \
-d '{"rules": [
{"action": "allow", "condition": "pqc", "reason": "PQC required by CMMC 2.0"},
{"action": "block", "condition": "classical", "reason": "Classical TLS prohibited"},
{"action": "warn", "condition": "unknown", "reason": "Unknown crypto - investigate"}
]}'