Zephyr API Documentation  3.7.0
A Scalable Open Source RTOS
Loading...
Searching...
No Matches
Network Packet Filter API

Network Packet Filter API. More...

Modules

 Basic Filter Conditions
 
 Ethernet Filter Conditions
 

Data Structures

struct  npf_test
 common filter test structure to be embedded into larger structures More...
 
struct  npf_rule
 filter rule structure More...
 
struct  npf_rule_list
 rule set for a given test location More...
 

Macros

#define NPF_RULE(_name, _result, ...)
 Statically define one packet filter rule.
 

Functions

void npf_insert_rule (struct npf_rule_list *rules, struct npf_rule *rule)
 Insert a rule at the front of given rule list.
 
void npf_append_rule (struct npf_rule_list *rules, struct npf_rule *rule)
 Append a rule at the end of given rule list.
 
bool npf_remove_rule (struct npf_rule_list *rules, struct npf_rule *rule)
 Remove a rule from the given rule list.
 
bool npf_remove_all_rules (struct npf_rule_list *rules)
 Remove all rules from the given rule list.
 

Variables

struct npf_rule npf_default_ok
 Default rule list termination for accepting a packet.
 
struct npf_rule npf_default_drop
 Default rule list termination for rejecting a packet.
 
struct npf_rule_list npf_send_rules
 rule list applied to outgoing packets
 
struct npf_rule_list npf_recv_rules
 rule list applied to incoming packets
 
struct npf_rule_list npf_local_in_recv_rules
 rule list applied for local incoming packets
 
struct npf_rule_list npf_ipv4_recv_rules
 rule list applied for IPv4 incoming packets
 
struct npf_rule_list npf_ipv6_recv_rules
 rule list applied for IPv6 incoming packets
 

Detailed Description

Network Packet Filter API.

Macro Definition Documentation

◆ NPF_RULE

#define NPF_RULE (   _name,
  _result,
  ... 
)

#include <zephyr/net/net_pkt_filter.h>

Value:
struct npf_rule _name = { \
.result = (_result), \
.nb_tests = NUM_VA_ARGS_LESS_1(__VA_ARGS__) + 1, \
.tests = { FOR_EACH(Z_NPF_TEST_ADDR, (,), __VA_ARGS__) }, \
}
#define FOR_EACH(F, sep,...)
Call a macro F on each provided argument with a given separator between each call.
Definition: util_macro.h:465
#define NUM_VA_ARGS_LESS_1(...)
Number of arguments in the variable arguments list minus one.
Definition: util_macro.h:631
filter rule structure
Definition: net_pkt_filter.h:48
uint32_t nb_tests
number of tests for this rule
Definition: net_pkt_filter.h:51
enum net_verdict result
result if all tests pass
Definition: net_pkt_filter.h:50

Statically define one packet filter rule.

This creates a rule from a variable amount of filter conditions. This rule can then be inserted or appended to the rule list for a given network packet path.

Example:

static NPF_SIZE_MAX(maxsize_200, 200);
static NPF_ETH_TYPE_MATCH(ip_packet, NET_ETH_PTYPE_IP);
static NPF_RULE(small_ip_pkt, NET_OK, ip_packet, maxsize_200);
void install_my_filter(void)
{
npf_insert_recv_rule(&npf_default_drop);
npf_insert_recv_rule(&small_ip_pkt);
}
@ NET_OK
Packet has been taken care of.
Definition: net_core.h:102
#define NPF_RULE(_name, _result,...)
Statically define one packet filter rule.
Definition: net_pkt_filter.h:199
struct npf_rule npf_default_drop
Default rule list termination for rejecting a packet.
#define NPF_SIZE_MAX(_name, _size)
Statically define a "data maximum size" packet filter condition.
Definition: net_pkt_filter.h:309
#define NPF_ETH_TYPE_MATCH(_name, _type)
Statically define an "Ethernet type match" packet filter condition.
Definition: net_pkt_filter.h:530

The above would accept IP packets that are 200 bytes or smaller, and drop all other packets.

Another (less efficient) way to create the same result could be:

static NPF_SIZE_MIN(minsize_201, 201);
static NPF_ETH_TYPE_UNMATCH(not_ip_packet, NET_ETH_PTYPE_IP);
static NPF_RULE(reject_big_pkts, NET_DROP, minsize_201);
static NPF_RULE(reject_non_ip, NET_DROP, not_ip_packet);
void install_my_filter(void) {
npf_append_recv_rule(&reject_big_pkts);
npf_append_recv_rule(&reject_non_ip);
npf_append_recv_rule(&npf_default_ok);
}
@ NET_DROP
Packet must be dropped.
Definition: net_core.h:108
struct npf_rule npf_default_ok
Default rule list termination for accepting a packet.
#define NPF_SIZE_MIN(_name, _size)
Statically define a "data minimum size" packet filter condition.
Definition: net_pkt_filter.h:296
#define NPF_ETH_TYPE_UNMATCH(_name, _type)
Statically define an "Ethernet type unmatch" packet filter condition.
Definition: net_pkt_filter.h:542

The first rule in the list for which all conditions are true determines the fate of the packet. If one condition is false then the next rule in the list is evaluated.

Parameters
_nameName for this rule.
_resultFate of the packet if all conditions are true, either NET_OK or NET_DROP.
...List of conditions for this rule.

Function Documentation

◆ npf_append_rule()

void npf_append_rule ( struct npf_rule_list rules,
struct npf_rule rule 
)

#include <zephyr/net/net_pkt_filter.h>

Append a rule at the end of given rule list.

Parameters
rulesthe affected rule list
rulethe rule to be appended

◆ npf_insert_rule()

void npf_insert_rule ( struct npf_rule_list rules,
struct npf_rule rule 
)

#include <zephyr/net/net_pkt_filter.h>

Insert a rule at the front of given rule list.

Parameters
rulesthe affected rule list
rulethe rule to be inserted

◆ npf_remove_all_rules()

bool npf_remove_all_rules ( struct npf_rule_list rules)

#include <zephyr/net/net_pkt_filter.h>

Remove all rules from the given rule list.

Parameters
rulesthe affected rule list
Return values
trueif at least one rule was removed from the rule list

◆ npf_remove_rule()

bool npf_remove_rule ( struct npf_rule_list rules,
struct npf_rule rule 
)

#include <zephyr/net/net_pkt_filter.h>

Remove a rule from the given rule list.

Parameters
rulesthe affected rule list
rulethe rule to be removed
Return values
trueif given rule was found in the rule list and removed

Variable Documentation

◆ npf_default_drop

struct npf_rule npf_default_drop
extern

#include <zephyr/net/net_pkt_filter.h>

Default rule list termination for rejecting a packet.

◆ npf_default_ok

struct npf_rule npf_default_ok
extern

#include <zephyr/net/net_pkt_filter.h>

Default rule list termination for accepting a packet.

◆ npf_ipv4_recv_rules

struct npf_rule_list npf_ipv4_recv_rules
extern

#include <zephyr/net/net_pkt_filter.h>

rule list applied for IPv4 incoming packets

◆ npf_ipv6_recv_rules

struct npf_rule_list npf_ipv6_recv_rules
extern

#include <zephyr/net/net_pkt_filter.h>

rule list applied for IPv6 incoming packets

◆ npf_local_in_recv_rules

struct npf_rule_list npf_local_in_recv_rules
extern

#include <zephyr/net/net_pkt_filter.h>

rule list applied for local incoming packets

◆ npf_recv_rules

struct npf_rule_list npf_recv_rules
extern

#include <zephyr/net/net_pkt_filter.h>

rule list applied to incoming packets

◆ npf_send_rules

struct npf_rule_list npf_send_rules
extern

#include <zephyr/net/net_pkt_filter.h>

rule list applied to outgoing packets