net: pkt_filter: Introduce additional hooks for pkt_filter

The additional hooks provide infrastructure to construct rules on another network stack levels. Main benefit of this approach is packets are pre-parsed and e.g. IP filter is easier to implement. These hooks are equivalent of prerouting and local_in in linux's netfilter. Signed-off-by: Marcin Gasiorek <marcin.gasiorek@nordicsemi.no>
2023-07-06 14:17:51 +02:00 · 2023-07-06 14:17:51 +02:00 · 5894bec82f
parent eb16ab551f
commit 5894bec82f
7 changed files with 251 additions and 4 deletions
--- a/include/zephyr/net/net_pkt.h
+++ b/include/zephyr/net/net_pkt.h
@ -1275,6 +1275,37 @@ static inline bool net_pkt_filter_recv_ok(struct net_pkt *pkt)
 #endif /* CONFIG_NET_PKT_FILTER */
 #if defined(CONFIG_NET_PKT_FILTER) && \
 	(defined(CONFIG_NET_PKT_FILTER_IPV4_HOOK) || defined(CONFIG_NET_PKT_FILTER_IPV6_HOOK))
 bool net_pkt_filter_ip_recv_ok(struct net_pkt *pkt);
 #else
 static inline bool net_pkt_filter_ip_recv_ok(struct net_pkt *pkt)
 {
 	ARG_UNUSED(pkt);
 	return true;
 }
 #endif /* CONFIG_NET_PKT_FILTER_IPV4_HOOK || CONFIG_NET_PKT_FILTER_IPV6_HOOK */
 #if defined(CONFIG_NET_PKT_FILTER) && defined(CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK)
 bool net_pkt_filter_local_in_recv_ok(struct net_pkt *pkt);
 #else
 static inline bool net_pkt_filter_local_in_recv_ok(struct net_pkt *pkt)
 {
 	ARG_UNUSED(pkt);
 	return true;
 }
 #endif /* CONFIG_NET_PKT_FILTER && CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK */
 /* @endcond */
 /**
--- a/include/zephyr/net/net_pkt_filter.h
+++ b/include/zephyr/net/net_pkt_filter.h
@ -67,6 +67,12 @@ struct npf_rule_list {
 extern struct npf_rule_list npf_send_rules;
 /** @brief rule list applied to incoming packets */
 extern struct npf_rule_list npf_recv_rules;
 /** @brief rule list applied for local incoming packets */
 extern struct npf_rule_list npf_local_in_recv_rules;
 /** @brief rule list applied for IPv4 incoming packets */
 extern struct npf_rule_list npf_ipv4_recv_rules;
 /** @brief rule list applied for IPv6 incoming packets */
 extern struct npf_rule_list npf_ipv6_recv_rules;
 /**
 * @brief Insert a rule at the front of given rule list
@ -111,6 +117,27 @@ bool npf_remove_all_rules(struct npf_rule_list *rules);
 #define npf_remove_all_send_rules() npf_remove_all_rules(&npf_send_rules)
 #define npf_remove_all_recv_rules() npf_remove_all_rules(&npf_recv_rules)
 #ifdef CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK
 #define npf_insert_local_in_recv_rule(rule) npf_insert_rule(&npf_local_in_recv_rules, rule)
 #define npf_append_local_in_recv_rule(rule) npf_append_rule(&npf_local_in_recv_rules, rule)
 #define npf_remove_local_in_recv_rule(rule) npf_remove_rule(&npf_local_in_recv_rules, rule)
 #define npf_remove_all_local_in_recv_rules() npf_remove_all_rules(&npf_local_in_recv_rules)
 #endif /* CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK */
 #ifdef CONFIG_NET_PKT_FILTER_IPV4_HOOK
 #define npf_insert_ipv4_recv_rule(rule) npf_insert_rule(&npf_ipv4_recv_rules, rule)
 #define npf_append_ipv4_recv_rule(rule) npf_append_rule(&npf_ipv4_recv_rules, rule)
 #define npf_remove_ipv4_recv_rule(rule) npf_remove_rule(&npf_ipv4_recv_rules, rule)
 #define npf_remove_all_ipv4_recv_rules() npf_remove_all_rules(&npf_ipv4_recv_rules)
 #endif /* CONFIG_NET_PKT_FILTER_IPV4_HOOK */
 #ifdef CONFIG_NET_PKT_FILTER_IPV6_HOOK
 #define npf_insert_ipv6_recv_rule(rule) npf_insert_rule(&npf_ipv6_recv_rules, rule)
 #define npf_append_ipv6_recv_rule(rule) npf_append_rule(&npf_ipv6_recv_rules, rule)
 #define npf_remove_ipv6_recv_rule(rule) npf_remove_rule(&npf_ipv6_recv_rules, rule)
 #define npf_remove_all_ipv6_recv_rules() npf_remove_all_rules(&npf_ipv6_recv_rules)
 #endif /* CONFIG_NET_PKT_FILTER_IPV6_HOOK */
 /**
 * @brief Statically define one packet filter rule
 *
@ -296,6 +323,60 @@ extern npf_test_fn_t npf_size_inbounds;
 		.test.fn = npf_size_inbounds, \
 	}
 /** @cond INTERNAL_HIDDEN */
 struct npf_test_ip {
 	struct npf_test test;
 	uint8_t addr_family;
 	void *ipaddr;
 	uint32_t ipaddr_num;
 };
 extern npf_test_fn_t npf_ip_src_addr_match;
 extern npf_test_fn_t npf_ip_src_addr_unmatch;
 /** @endcond */
 /**
 * @brief Statically define a "ip address allowlist" packet filter condition
 *
 * This tests if the packet source ip address matches any of the ip
 * addresses contained in the provided set.
 *
 * @param _name Name of the condition
 * @param _ip_addr_array Array of <tt>struct in_addr</tt> or <tt>struct in6_addr</tt> items to test
 *against
 * @param _ip_addr_num number of IP addresses in the array
 * @param _af Addresses family type (AF_INET / AF_INET6) in the array
 */
 #define NPF_IP_SRC_ADDR_ALLOWLIST(_name, _ip_addr_array, _ip_addr_num, _af) \
 	struct npf_test_ip _name = { \
 		.addr_family = _af, \
 		.ipaddr = (_ip_addr_array), \
 		.ipaddr_num = _ip_addr_num, \
 		.test.fn = npf_ip_src_addr_match, \
 	}
 /**
 * @brief Statically define a "ip address blocklist" packet filter condition
 *
 * This tests if the packet source ip address matches any of the ip
 * addresses contained in the provided set.
 *
 * @param _name Name of the condition
 * @param _ip_addr_array Array of <tt>struct in_addr</tt> or <tt>struct in6_addr</tt> items to test
 *against
 * @param _ip_addr_num number of IP addresses in the array
 * @param _af Addresses family type (AF_INET / AF_INET6) in the array
 */
 #define NPF_IP_SRC_ADDR_BLOCKLIST(_name, _ip_addr_array, _ip_addr_num, _af) \
 	struct npf_test_ip _name = { \
 		.addr_family = _af, \
 		.ipaddr = (_ip_addr_array), \
 		.ipaddr_num = _ip_addr_num, \
 		.test.fn = npf_ip_src_addr_unmatch, \
 	}
 /** @} */
 /**
--- a/subsys/net/ip/connection.c
+++ b/subsys/net/ip/connection.c
@ -576,6 +576,11 @@ enum net_verdict net_conn_input(struct net_pkt *pkt,
 	uint8_t pkt_family = net_pkt_family(pkt);
 	uint16_t src_port = 0U, dst_port = 0U;
 	if (!net_pkt_filter_local_in_recv_ok(pkt)) {
 		/* drop the packet */
 		return NET_DROP;
 	}
 	if (IS_ENABLED(CONFIG_NET_IP) && (pkt_family == AF_INET || pkt_family == AF_INET6)) {
 		if (IS_ENABLED(CONFIG_NET_UDP) && proto == IPPROTO_UDP) {
 			src_port = proto_hdr->udp->src_port;
--- a/subsys/net/ip/ipv4.c
+++ b/subsys/net/ip/ipv4.c
@ -302,6 +302,15 @@ enum net_verdict net_ipv4_input(struct net_pkt *pkt)
 		goto drop;
 	}
 	net_pkt_set_ipv4_ttl(pkt, hdr->ttl);
 	net_pkt_set_family(pkt, PF_INET);
 	if (!net_pkt_filter_ip_recv_ok(pkt)) {
 		/* drop the packet */
 		return NET_DROP;
 	}
 	if ((!net_ipv4_is_my_addr((struct in_addr *)hdr->dst) &&
 	     !net_ipv4_is_addr_mcast((struct in_addr *)hdr->dst) &&
 	     !(hdr->proto == IPPROTO_UDP &&
@ -326,10 +335,6 @@ enum net_verdict net_ipv4_input(struct net_pkt *pkt)
 		}
 	}
 	net_pkt_set_ipv4_ttl(pkt, hdr->ttl);
 	net_pkt_set_family(pkt, PF_INET);
 	if (IS_ENABLED(CONFIG_NET_IPV4_FRAGMENT)) {
 		/* Check if this is a fragmented packet, and if so, handle reassembly */
 		if ((ntohs(*((uint16_t *)&hdr->offset[0])) &
--- a/subsys/net/ip/ipv6.c
+++ b/subsys/net/ip/ipv6.c
@ -520,6 +520,11 @@ enum net_verdict net_ipv6_input(struct net_pkt *pkt, bool is_loopback)
 	net_pkt_set_ipv6_hop_limit(pkt, NET_IPV6_HDR(pkt)->hop_limit);
 	net_pkt_set_family(pkt, PF_INET6);
 	if (!net_pkt_filter_ip_recv_ok(pkt)) {
 		/* drop the packet */
 		return NET_DROP;
 	}
 	if (IS_ENABLED(CONFIG_NET_ROUTE_MCAST) &&
 		net_ipv6_is_addr_mcast((struct in6_addr *)hdr->dst)) {
 		/* If the packet is a multicast packet and multicast routing
--- a/subsys/net/pkt_filter/Kconfig
+++ b/subsys/net/pkt_filter/Kconfig
@ -12,6 +12,28 @@ config NET_PKT_FILTER
 	  transmission and reception.
 if NET_PKT_FILTER
 config NET_PKT_FILTER_IPV4_HOOK
 	bool "Additional network packet filtering hook inside IPv4 stack"
 	depends on NET_IPV4
 	help
 	  This additional hook provides infrastructure to construct custom
 	  rules on the IP packet.
 config NET_PKT_FILTER_IPV6_HOOK
 	bool "Additional network packet filtering hook inside IPv6 stack"
 	depends on NET_IPV6
 	help
 	  This additional hook provides infrastructure to construct custom
 	  rules on the IP packet.
 config NET_PKT_FILTER_LOCAL_IN_HOOK
 	bool "Additional network packet filtering hook for connection input"
 	depends on NET_IP
 	help
 	  This additional hook provides infrastructure to construct custom
 	  rules for e.g. TCP/UDP packets.
 module = NET_PKT_FILTER
 module-dep = NET_LOG
 module-str = Log level for packet filtering
--- a/subsys/net/pkt_filter/base.c
+++ b/subsys/net/pkt_filter/base.c
@ -25,6 +25,50 @@ struct npf_rule_list npf_recv_rules = {
 	.lock = { },
 };
 #ifdef CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK
 struct npf_rule_list npf_local_in_recv_rules = {
 	.rule_head = SYS_SLIST_STATIC_INIT(&local_in_recv_rules.rule_head),
 	.lock = { },
 };
 #endif /* CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK */
 #ifdef CONFIG_NET_PKT_FILTER_IPV4_HOOK
 struct npf_rule_list npf_ipv4_recv_rules = {
 	.rule_head = SYS_SLIST_STATIC_INIT(&ipv4_recv_rules.rule_head),
 	.lock = { },
 };
 #endif /* CONFIG_NET_PKT_FILTER_IPV4_HOOK */
 #ifdef CONFIG_NET_PKT_FILTER_IPV6_HOOK
 struct npf_rule_list npf_ipv6_recv_rules = {
 	.rule_head = SYS_SLIST_STATIC_INIT(&ipv6_recv_rules.rule_head),
 	.lock = { },
 };
 #endif /* CONFIG_NET_PKT_FILTER_IPV6_HOOK */
 /*
 * Helper function
 */
 static struct npf_rule_list *get_ip_rules(uint8_t pf)
 {
 	switch (pf) {
 	case PF_INET:
 #ifdef CONFIG_NET_PKT_FILTER_IPV4_HOOK
 		return &npf_ipv4_recv_rules;
 #endif
 		break;
 	case PF_INET6:
 #ifdef CONFIG_NET_PKT_FILTER_IPV6_HOOK
 		return &npf_ipv6_recv_rules;
 #endif
 		break;
 	default:
 		return NULL;
 	}
 	return NULL;
 }
 /*
 * Rule application
 */
@ -98,6 +142,31 @@ bool net_pkt_filter_recv_ok(struct net_pkt *pkt)
 	return result == NET_OK;
 }
 #ifdef CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK
 bool net_pkt_filter_local_in_recv_ok(struct net_pkt *pkt)
 {
 	enum net_verdict result = lock_evaluate(&npf_local_in_recv_rules, pkt);
 	return result == NET_OK;
 }
 #endif /* CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK */
 #if defined(CONFIG_NET_PKT_FILTER_IPV4_HOOK) || defined(CONFIG_NET_PKT_FILTER_IPV6_HOOK)
 bool net_pkt_filter_ip_recv_ok(struct net_pkt *pkt)
 {
 	struct npf_rule_list *rules = get_ip_rules(net_pkt_family(pkt));
 	if (!rules) {
 		NET_DBG("no rules");
 		return true;
 	}
 	enum net_verdict result = lock_evaluate(rules, pkt);
 	return result == NET_OK;
 }
 #endif /* CONFIG_NET_PKT_FILTER_IPV4_HOOK || CONFIG_NET_PKT_FILTER_IPV6_HOOK */
 /*
 * Rule management
 */
@ -199,3 +268,32 @@ bool npf_size_inbounds(struct npf_test *test, struct net_pkt *pkt)
 	return pkt_size >= bounds->min && pkt_size <= bounds->max;
 }
 bool npf_ip_src_addr_match(struct npf_test *test, struct net_pkt *pkt)
 {
 	struct npf_test_ip *test_ip =
 			CONTAINER_OF(test, struct npf_test_ip, test);
 	uint8_t pkt_family = net_pkt_family(pkt);
 	for (uint32_t ip_it = 0; ip_it < test_ip->ipaddr_num; ip_it++) {
 		if (IS_ENABLED(CONFIG_NET_IPV4) && pkt_family == AF_INET) {
 			struct in_addr *addr = (struct in_addr *)NET_IPV4_HDR(pkt)->src;
 			if (net_ipv4_addr_cmp(addr, &((struct in_addr *)test_ip->ipaddr)[ip_it])) {
 				return true;
 			}
 		} else if (IS_ENABLED(CONFIG_NET_IPV6) && pkt_family == AF_INET6) {
 			struct in6_addr *addr = (struct in6_addr *)NET_IPV6_HDR(pkt)->src;
 			if (net_ipv6_addr_cmp(addr, &((struct in6_addr *)test_ip->ipaddr)[ip_it])) {
 				return true;
 			}
 		}
 	}
 	return false;
 }
 bool npf_ip_src_addr_unmatch(struct npf_test *test, struct net_pkt *pkt)
 {
 	return !npf_ip_src_addr_match(test, pkt);
 }