Add iptlite packet filter modules #7541
Conversation
P1F
changed the title
| chain *chain_head; | ||
| chain *last_rule; |
There was a problem hiding this comment.
Include "g_" before the variables names to indicate they are global variables.
| in_addr_t destipaddr; | ||
| in_port_t srcport; | ||
| in_port_t destport; | ||
| chain *next; |
There was a problem hiding this comment.
Include "FAR chain *net" to be compatible with 8-bit MCU that requires it
| in_port_t srcport, in_port_t destport) | ||
| { | ||
| chain *new_chainrule = (chain *)malloc(sizeof(chain)); | ||
| if (new_chainrule == NULL) return false; |
| if ((current_rule->destipaddr == 0 \ | ||
| || current_rule->destipaddr == destipaddr) \ | ||
| && (current_rule->srcipaddr == 0 \ | ||
| || current_rule->srcipaddr == srcipaddr) \ | ||
| && (current_rule->destport == 0 \ | ||
| || current_rule->destport == destport) \ | ||
| && (current_rule->srcport == 0 \ | ||
| || current_rule->srcport == srcport)) return false; |
| chain *head = chain_head->next; | ||
| char **table = (char **)malloc(rules_counter * sizeof(char *)); | ||
|
|
||
| for (int i = 0; i < rules_counter; i++) |
There was a problem hiding this comment.
Move "int i" to top of the function to be C89 compatible
| #ifdef CONFIG_NETUTILS_IPTLITE | ||
| /* Check if packet needs to be dropped */ | ||
|
|
||
| bool is_valid_packet = nflite_verify_ipv4(dev); |
There was a problem hiding this comment.
Declare this variable at the top
| /* Check if packet needs to be dropped */ | ||
|
|
||
| bool is_valid_packet = nflite_verify_ipv4(dev); | ||
| if (!is_valid_packet) goto drop; |
|
|
||
| void nflite_initialize(void) | ||
| { | ||
| chain_head = (chain *)malloc(sizeof(chain)); |
There was a problem hiding this comment.
Malloc could fail, check the return and move the function from void to int to return an error
what's the exact relationship between these code and https://www.netfilter.org/ ? |
|
@P1F @wengzhe has developed an infrastructure for iptable, you may port filter functionality less effort and more standardized now. Please reference the follow PR to learn the usage: apache/nuttx-apps#1479 and #7989. |
@P1F @duduita please take a look on this infrastructure for iptable from @wengzhe when adapting the code |
Hey Alan! We'll take a look. Thank you for referencing the PR. |
|
@P1F @yamt @xiaoxiang781216 @acassis @jkivilin Hello everyone, if I want to support a firewall in the NuttX system, what should I do? Are there any corresponding development references or references for porting third-party software? I found this issue. Could you please confirm whether this merge request, once added, will be able to implement common firewall functionalities? |
|
@xiaotailang this patch expose functions to userspace directly which is forbidden, so the code need be modified to go through ioctl interface. apache/nuttx-apps#1479 and #7989 can help this. |
|
@P1F and I were thinking about continuing to work on our packet filter contribution, but these PRs apache/nuttx-apps#1479, #7989 raised some questions @xiaoxiang781216. It seems that the mentioned PRs implemented more sophisticated tables, and structures to be used in a packet filter, including the iptables, but the packet filter itself, in other words, the netfilter linux equivalent wasn't implemented, am I right @xiaoxiang781216? So, if I understood well, if we decide to resume our contribution work, we wouldn't need the apache/nuttx-apps#1399, since the iptables seem to be already implemented in this one apache/nuttx-apps#1479, but we would still need to add the netfilter, something like this function that we have in this PR, but using the new structures, right? |
Yes, you are right. iptable is a complete framework, #7989 just implement the core framework and NAT functionality.
Yes, you can reuse the tool in userspace.
Yes, the rest work is integrate your work to the new iptable framework and expose the new ipfilter through ioctl/struct which should be compatible with Linux. |
|
ok ! thank you very much. |
|
@P1F and I are working on the suggested changes to merge this PR, but we have some questions @xiaoxiang781216 @acassis @wengzhe:
|
Normally, only the core APIs are exposed through syscall, the optional APIs are exposed through ioctl. But the key point is that the new interface is better to follow:
Yes, the ad hoc user space APIs should be avoided as much as possible, especially other OS already define a mature interface: |
Summary
This merge request aims to add a lightweight packet filter to NuttX, called iptlite (iptables lite), which was based on Linux firewall, iptables and netfilter. This first implementation was focused on the essential commands, such as adding a drop rule based on the 4-tuple (source IPv4 address, destination IPv4 address, source port and destination port), flush all rules and list all rules, for all ingress TCP packets.
The implementation was divided in two parts: the iptlite app, the CLI to the user, and the nflite modules (netfilter lite), which will provide the APIs to the iptlite app, that can be seen in another MR on the incubator-nuttx repository.
This project was considered the third-best security tool in the XXII Brazilian Symposium on Information Security and Computer Systems, and the related paper was accepted by this conference as well.
Impact
This lightweight packet filter could be an additional security feature, especially in the IoT environment, allowing the users to adopt, for instance, a zero trust policy, consequently, denying all ingress packet filter, except by the preset ones.
Testing
In order to give more context about the implementation that it was made, this following link will show a quick video demo of the project.