Systems · Networking · Python
weft — a tiny alternative internet
A working answer to "let's make a new internet." Not HTTP — its own line-based protocol over raw TCP, its own address scheme, a terminal browser, and an application-layer firewall you can drive live in your browser. Pure Python standard library, zero dependencies.
Overview
The modern web is heavy: a megabyte of scripts to show a paragraph of text, and something always measuring you. weft is the opposite bet — a small, human-scale network you can hold in your head. A "node" is one server hosting a folder of hand-written .weft pages; a terminal browser hops between nodes; three of them link into a little ring. The whole protocol is one request line and four status codes.
What's in it
📡 A protocol of its own
Connect over TCP, send GET /path, read a status line then the body. Addresses are weft://host:port/path. No cookies, no client-side code, no surveillance surface.
🧵 Nodes & a browser
A threaded server serves .weft pages (with path-traversal blocked); a terminal browser renders them, numbers the links, and follows them across nodes.
🧱 An application firewall
A filtering gateway sits in front of a node: it inspects each connection's source IP and path, applies an ordered ruleset, enforces a default policy, and logs every decision.
🔁 Live, reloadable rules
Per-path rate limits, a persistent block log, and hot reload — edit the ruleset and kill -HUP the firewall to swap it in with no restart and no dropped socket.
How it works
- The protocol: one request line over TCP; replies are
20ok /30redirect /40not found /50error, then the body. A client fits in any language in an afternoon. - The firewall: rules are evaluated top-to-bottom, first match wins (like an iptables chain), matching on CIDR (
from 127.0.0.0/8) and globs (path /admin*); anything unmatched hits the default policy. - Rate limiting: sliding-window connection caps per source IP, optionally scoped to a path — a loose site-wide cap plus a tight one just for an expensive endpoint.
- Hot reload: a
SIGHUPswaps the ruleset under a lock; in-flight connections finish on the rules they started with, and a malformed file is rejected so the old rules stay live. - Honest transparency: a half-close from the client is propagated rather than tearing the proxy down, and refused connections close gracefully (FIN, not RST) so the client always reads its rejection.
firewall.py, reimplemented in JavaScript — edit the rules, fire requests, and watch each ALLOW/DENY decision with the exact rule that fired. Open the live demo →