-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add iptlite packet filter app #1399
base: master
Are you sure you want to change the base?
Conversation
Shall we isolate between iptlite(user space) and nflite(kernel space), using ioctl or setsockopt(iptables uses)? |
void add_rule(int rule, char * srcip, char * destip, char * srcprt, \ | ||
char * destprt) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
void add_rule(int rule, char * srcip, char * destip, char * srcprt, \ | |
char * destprt) | |
void add_rule(int rule, FAR char *srcip, FAR char *destip, FAR char *srcprt, | |
FAR char *destprt) |
in_addr_t srcipaddr, destipaddr; | ||
in_port_t srcport, destport; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in_addr_t srcipaddr, destipaddr; | |
in_port_t srcport, destport; | |
in_addr_t srcipaddr; | |
in_addr_t destipaddr; | |
in_port_t srcport; | |
in_port_t destport; |
void listall_rules(void) | ||
{ | ||
int rules_counter = nflite_get_rules_counter(); | ||
char** table = nflite_listall(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
char** table = nflite_listall(); | |
FAR char** table = nflite_listall(); |
* Included Files | ||
****************************************************************************/ | ||
|
||
#include "../../../nuttx/net/devif/devif.h" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we somehow overcome this?
@@ -0,0 +1,94 @@ | |||
/**************************************************************************** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
license header is missing
We will look into the possibility of using one of these in our implementation. Then, I converted this PR to a draft in the meantime. |
@duduita @wengzhe has developed an infrastructure for iptable, you may port filter functionality less effort now. Please reference the follow PR to learn the usage: #1479 and apache/nuttx#7989. |
Summary
This merge request aims to add a lightweight packet filter to NuttX, called iptlite (iptables lite), which was based on Linux firewall, iptables and netfilter. This first implementation was focused on the essential commands, such as adding a drop rule based on the 4-tuple (source IPv4 address, destination IPv4 address, source port and destination port), flush all rules and list all rules, for all ingress TCP packets.
The implementation was divided in two parts: the iptlite app, the CLI to the user, and the nflite modules (netfilter lite), which will provide the APIs to the iptlite app, that can be seen in another MR on the incubator-nuttx repository.
This project was considered the third-best security tool in the XXII Brazilian Symposium on Information Security and Computer Systems, and the related paper was accepted by this conference as well.
Impact
This lightweight packet filter could be an additional security feature, especially in the IoT environment, allowing the users to adopt, for instance, a zero trust policy, consequently, denying all ingress packet filter, except by the preset ones.
Testing
In order to give more context about the implementation that it was made, this following link will show a quick video demo of the project.