Zephyr API Documentation 4.0.0
A Scalable Open Source RTOS
Loading...
Searching...
No Matches
net_pkt_filter.h
Go to the documentation of this file.
1
8/*
9 * Copyright (c) 2021 BayLibre SAS
10 *
11 * SPDX-License-Identifier: Apache-2.0
12 */
13
14#ifndef ZEPHYR_INCLUDE_NET_PKT_FILTER_H_
15#define ZEPHYR_INCLUDE_NET_PKT_FILTER_H_
16
17#include <limits.h>
18#include <stdbool.h>
19#include <zephyr/sys/slist.h>
20#include <zephyr/net/net_core.h>
21#include <zephyr/net/ethernet.h>
22
23#ifdef __cplusplus
24extern "C" {
25#endif
26
38struct npf_test;
39
40typedef bool (npf_test_fn_t)(struct npf_test *test, struct net_pkt *pkt);
41
45struct npf_test {
46 npf_test_fn_t *fn;
47};
48
56
58extern struct npf_rule npf_default_ok;
60extern struct npf_rule npf_default_drop;
61
67
69extern struct npf_rule_list npf_send_rules;
71extern struct npf_rule_list npf_recv_rules;
78
85void npf_insert_rule(struct npf_rule_list *rules, struct npf_rule *rule);
86
93void npf_append_rule(struct npf_rule_list *rules, struct npf_rule *rule);
94
102bool npf_remove_rule(struct npf_rule_list *rules, struct npf_rule *rule);
103
111
114/* convenience shortcuts */
115#define npf_insert_send_rule(rule) npf_insert_rule(&npf_send_rules, rule)
116#define npf_insert_recv_rule(rule) npf_insert_rule(&npf_recv_rules, rule)
117#define npf_append_send_rule(rule) npf_append_rule(&npf_send_rules, rule)
118#define npf_append_recv_rule(rule) npf_append_rule(&npf_recv_rules, rule)
119#define npf_remove_send_rule(rule) npf_remove_rule(&npf_send_rules, rule)
120#define npf_remove_recv_rule(rule) npf_remove_rule(&npf_recv_rules, rule)
121#define npf_remove_all_send_rules() npf_remove_all_rules(&npf_send_rules)
122#define npf_remove_all_recv_rules() npf_remove_all_rules(&npf_recv_rules)
123
124#ifdef CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK
125#define npf_insert_local_in_recv_rule(rule) npf_insert_rule(&npf_local_in_recv_rules, rule)
126#define npf_append_local_in_recv_rule(rule) npf_append_rule(&npf_local_in_recv_rules, rule)
127#define npf_remove_local_in_recv_rule(rule) npf_remove_rule(&npf_local_in_recv_rules, rule)
128#define npf_remove_all_local_in_recv_rules() npf_remove_all_rules(&npf_local_in_recv_rules)
129#endif /* CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK */
130
131#ifdef CONFIG_NET_PKT_FILTER_IPV4_HOOK
132#define npf_insert_ipv4_recv_rule(rule) npf_insert_rule(&npf_ipv4_recv_rules, rule)
133#define npf_append_ipv4_recv_rule(rule) npf_append_rule(&npf_ipv4_recv_rules, rule)
134#define npf_remove_ipv4_recv_rule(rule) npf_remove_rule(&npf_ipv4_recv_rules, rule)
135#define npf_remove_all_ipv4_recv_rules() npf_remove_all_rules(&npf_ipv4_recv_rules)
136#endif /* CONFIG_NET_PKT_FILTER_IPV4_HOOK */
137
138#ifdef CONFIG_NET_PKT_FILTER_IPV6_HOOK
139#define npf_insert_ipv6_recv_rule(rule) npf_insert_rule(&npf_ipv6_recv_rules, rule)
140#define npf_append_ipv6_recv_rule(rule) npf_append_rule(&npf_ipv6_recv_rules, rule)
141#define npf_remove_ipv6_recv_rule(rule) npf_remove_rule(&npf_ipv6_recv_rules, rule)
142#define npf_remove_all_ipv6_recv_rules() npf_remove_all_rules(&npf_ipv6_recv_rules)
143#endif /* CONFIG_NET_PKT_FILTER_IPV6_HOOK */
144
201#define NPF_RULE(_name, _result, ...) \
202 struct npf_rule _name = { \
203 .result = (_result), \
204 .nb_tests = NUM_VA_ARGS_LESS_1(__VA_ARGS__) + 1, \
205 .tests = { FOR_EACH(Z_NPF_TEST_ADDR, (,), __VA_ARGS__) }, \
206 }
207
208#define Z_NPF_TEST_ADDR(arg) &arg.test
209
222struct npf_test_iface {
223 struct npf_test test;
224 struct net_if *iface;
225};
226
227extern npf_test_fn_t npf_iface_match;
228extern npf_test_fn_t npf_iface_unmatch;
229extern npf_test_fn_t npf_orig_iface_match;
230extern npf_test_fn_t npf_orig_iface_unmatch;
231
240#define NPF_IFACE_MATCH(_name, _iface) \
241 struct npf_test_iface _name = { \
242 .iface = (_iface), \
243 .test.fn = npf_iface_match, \
244 }
245
252#define NPF_IFACE_UNMATCH(_name, _iface) \
253 struct npf_test_iface _name = { \
254 .iface = (_iface), \
255 .test.fn = npf_iface_unmatch, \
256 }
257
264#define NPF_ORIG_IFACE_MATCH(_name, _iface) \
265 struct npf_test_iface _name = { \
266 .iface = (_iface), \
267 .test.fn = npf_orig_iface_match, \
268 }
269
276#define NPF_ORIG_IFACE_UNMATCH(_name, _iface) \
277 struct npf_test_iface _name = { \
278 .iface = (_iface), \
279 .test.fn = npf_orig_iface_unmatch, \
280 }
281
284struct npf_test_size_bounds {
285 struct npf_test test;
286 size_t min;
287 size_t max;
288};
289
290extern npf_test_fn_t npf_size_inbounds;
291
300#define NPF_SIZE_MIN(_name, _size) \
301 struct npf_test_size_bounds _name = { \
302 .min = (_size), \
303 .max = SIZE_MAX, \
304 .test.fn = npf_size_inbounds, \
305 }
306
313#define NPF_SIZE_MAX(_name, _size) \
314 struct npf_test_size_bounds _name = { \
315 .min = 0, \
316 .max = (_size), \
317 .test.fn = npf_size_inbounds, \
318 }
319
327#define NPF_SIZE_BOUNDS(_name, _min_size, _max_size) \
328 struct npf_test_size_bounds _name = { \
329 .min = (_min_size), \
330 .max = (_max_size), \
331 .test.fn = npf_size_inbounds, \
332 }
333
336struct npf_test_ip {
337 struct npf_test test;
338 uint8_t addr_family;
339 void *ipaddr;
340 uint32_t ipaddr_num;
341};
342
343extern npf_test_fn_t npf_ip_src_addr_match;
344extern npf_test_fn_t npf_ip_src_addr_unmatch;
345
360#define NPF_IP_SRC_ADDR_ALLOWLIST(_name, _ip_addr_array, _ip_addr_num, _af) \
361 struct npf_test_ip _name = { \
362 .addr_family = _af, \
363 .ipaddr = (_ip_addr_array), \
364 .ipaddr_num = _ip_addr_num, \
365 .test.fn = npf_ip_src_addr_match, \
366 }
367
380#define NPF_IP_SRC_ADDR_BLOCKLIST(_name, _ip_addr_array, _ip_addr_num, _af) \
381 struct npf_test_ip _name = { \
382 .addr_family = _af, \
383 .ipaddr = (_ip_addr_array), \
384 .ipaddr_num = _ip_addr_num, \
385 .test.fn = npf_ip_src_addr_unmatch, \
386 }
387
400struct npf_test_eth_addr {
401 struct npf_test test;
402 unsigned int nb_addresses;
403 struct net_eth_addr *addresses;
404 struct net_eth_addr mask;
405};
406
407extern npf_test_fn_t npf_eth_src_addr_match;
408extern npf_test_fn_t npf_eth_src_addr_unmatch;
409extern npf_test_fn_t npf_eth_dst_addr_match;
410extern npf_test_fn_t npf_eth_dst_addr_unmatch;
411
423#define NPF_ETH_SRC_ADDR_MATCH(_name, _addr_array) \
424 struct npf_test_eth_addr _name = { \
425 .addresses = (_addr_array), \
426 .nb_addresses = ARRAY_SIZE(_addr_array), \
427 .test.fn = npf_eth_src_addr_match, \
428 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
429 }
430
440#define NPF_ETH_SRC_ADDR_UNMATCH(_name, _addr_array) \
441 struct npf_test_eth_addr _name = { \
442 .addresses = (_addr_array), \
443 .nb_addresses = ARRAY_SIZE(_addr_array), \
444 .test.fn = npf_eth_src_addr_unmatch, \
445 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
446 }
447
457#define NPF_ETH_DST_ADDR_MATCH(_name, _addr_array) \
458 struct npf_test_eth_addr _name = { \
459 .addresses = (_addr_array), \
460 .nb_addresses = ARRAY_SIZE(_addr_array), \
461 .test.fn = npf_eth_dst_addr_match, \
462 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
463 }
464
474#define NPF_ETH_DST_ADDR_UNMATCH(_name, _addr_array) \
475 struct npf_test_eth_addr _name = { \
476 .addresses = (_addr_array), \
477 .nb_addresses = ARRAY_SIZE(_addr_array), \
478 .test.fn = npf_eth_dst_addr_unmatch, \
479 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
480 }
481
492#define NPF_ETH_SRC_ADDR_MASK_MATCH(_name, _addr_array, ...) \
493 struct npf_test_eth_addr _name = { \
494 .addresses = (_addr_array), \
495 .nb_addresses = ARRAY_SIZE(_addr_array), \
496 .mask.addr = { __VA_ARGS__ }, \
497 .test.fn = npf_eth_src_addr_match, \
498 }
499
510#define NPF_ETH_DST_ADDR_MASK_MATCH(_name, _addr_array, ...) \
511 struct npf_test_eth_addr _name = { \
512 .addresses = (_addr_array), \
513 .nb_addresses = ARRAY_SIZE(_addr_array), \
514 .mask.addr = { __VA_ARGS__ }, \
515 .test.fn = npf_eth_dst_addr_match, \
516 }
517
520struct npf_test_eth_type {
521 struct npf_test test;
522 uint16_t type; /* type in network order */
523};
524
525extern npf_test_fn_t npf_eth_type_match;
526extern npf_test_fn_t npf_eth_type_unmatch;
527
536#define NPF_ETH_TYPE_MATCH(_name, _type) \
537 struct npf_test_eth_type _name = { \
538 .type = htons(_type), \
539 .test.fn = npf_eth_type_match, \
540 }
541
548#define NPF_ETH_TYPE_UNMATCH(_name, _type) \
549 struct npf_test_eth_type _name = { \
550 .type = htons(_type), \
551 .test.fn = npf_eth_type_unmatch, \
552 }
553
556#ifdef __cplusplus
557}
558#endif
559
560#endif /* ZEPHYR_INCLUDE_NET_PKT_FILTER_H_ */
Ethernet.
net_verdict
Net Verdict.
Definition net_core.h:102
void npf_insert_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Insert a rule at the front of given rule list.
bool npf_remove_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Remove a rule from the given rule list.
bool npf_remove_all_rules(struct npf_rule_list *rules)
Remove all rules from the given rule list.
struct npf_rule_list npf_local_in_recv_rules
rule list applied for local incoming packets
struct npf_rule_list npf_send_rules
rule list applied to outgoing packets
struct npf_rule npf_default_drop
Default rule list termination for rejecting a packet.
struct npf_rule_list npf_recv_rules
rule list applied to incoming packets
struct npf_rule npf_default_ok
Default rule list termination for accepting a packet.
struct npf_rule_list npf_ipv6_recv_rules
rule list applied for IPv6 incoming packets
struct npf_rule_list npf_ipv4_recv_rules
rule list applied for IPv4 incoming packets
void npf_append_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Append a rule at the end of given rule list.
struct _slist sys_slist_t
Single-linked list structure.
Definition slist.h:49
struct _snode sys_snode_t
Single-linked list node structure.
Definition slist.h:39
Network core definitions.
#define bool
Definition stdbool.h:13
__UINT32_TYPE__ uint32_t
Definition stdint.h:90
__UINT8_TYPE__ uint8_t
Definition stdint.h:88
__UINT16_TYPE__ uint16_t
Definition stdint.h:89
Kernel Spin Lock.
Definition spinlock.h:45
Ethernet address.
Definition ethernet.h:53
Network Interface structure.
Definition net_if.h:680
Network packet.
Definition net_pkt.h:91
rule set for a given test location
Definition net_pkt_filter.h:63
sys_slist_t rule_head
List head.
Definition net_pkt_filter.h:64
struct k_spinlock lock
Lock protecting the list access.
Definition net_pkt_filter.h:65
filter rule structure
Definition net_pkt_filter.h:50
uint32_t nb_tests
number of tests for this rule
Definition net_pkt_filter.h:53
struct npf_test * tests[]
pointers to npf_test instances
Definition net_pkt_filter.h:54
enum net_verdict result
result if all tests pass
Definition net_pkt_filter.h:52
sys_snode_t node
Slist rule list node.
Definition net_pkt_filter.h:51
common filter test structure to be embedded into larger structures
Definition net_pkt_filter.h:45
npf_test_fn_t * fn
packet condition test function
Definition net_pkt_filter.h:46