Zephyr API Documentation  3.6.0
A Scalable Open Source RTOS
3.6.0
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
net_pkt_filter.h
Go to the documentation of this file.
1
8/*
9 * Copyright (c) 2021 BayLibre SAS
10 *
11 * SPDX-License-Identifier: Apache-2.0
12 */
13
14#ifndef ZEPHYR_INCLUDE_NET_PKT_FILTER_H_
15#define ZEPHYR_INCLUDE_NET_PKT_FILTER_H_
16
17#include <limits.h>
18#include <stdbool.h>
19#include <zephyr/sys/slist.h>
20#include <zephyr/net/net_core.h>
21#include <zephyr/net/ethernet.h>
22
23#ifdef __cplusplus
24extern "C" {
25#endif
26
36struct npf_test;
37
38typedef bool (npf_test_fn_t)(struct npf_test *test, struct net_pkt *pkt);
39
43struct npf_test {
44 npf_test_fn_t *fn;
45};
46
48struct npf_rule {
49 sys_snode_t node;
50 enum net_verdict result;
51 uint32_t nb_tests;
52 struct npf_test *tests[];
53};
54
56extern struct npf_rule npf_default_ok;
58extern struct npf_rule npf_default_drop;
59
61struct npf_rule_list {
62 sys_slist_t rule_head;
63 struct k_spinlock lock;
64};
65
67extern struct npf_rule_list npf_send_rules;
69extern struct npf_rule_list npf_recv_rules;
71extern struct npf_rule_list npf_local_in_recv_rules;
73extern struct npf_rule_list npf_ipv4_recv_rules;
75extern struct npf_rule_list npf_ipv6_recv_rules;
76
83void npf_insert_rule(struct npf_rule_list *rules, struct npf_rule *rule);
84
91void npf_append_rule(struct npf_rule_list *rules, struct npf_rule *rule);
92
100bool npf_remove_rule(struct npf_rule_list *rules, struct npf_rule *rule);
101
108bool npf_remove_all_rules(struct npf_rule_list *rules);
109
110/* convenience shortcuts */
111#define npf_insert_send_rule(rule) npf_insert_rule(&npf_send_rules, rule)
112#define npf_insert_recv_rule(rule) npf_insert_rule(&npf_recv_rules, rule)
113#define npf_append_send_rule(rule) npf_append_rule(&npf_send_rules, rule)
114#define npf_append_recv_rule(rule) npf_append_rule(&npf_recv_rules, rule)
115#define npf_remove_send_rule(rule) npf_remove_rule(&npf_send_rules, rule)
116#define npf_remove_recv_rule(rule) npf_remove_rule(&npf_recv_rules, rule)
117#define npf_remove_all_send_rules() npf_remove_all_rules(&npf_send_rules)
118#define npf_remove_all_recv_rules() npf_remove_all_rules(&npf_recv_rules)
119
120#ifdef CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK
121#define npf_insert_local_in_recv_rule(rule) npf_insert_rule(&npf_local_in_recv_rules, rule)
122#define npf_append_local_in_recv_rule(rule) npf_append_rule(&npf_local_in_recv_rules, rule)
123#define npf_remove_local_in_recv_rule(rule) npf_remove_rule(&npf_local_in_recv_rules, rule)
124#define npf_remove_all_local_in_recv_rules() npf_remove_all_rules(&npf_local_in_recv_rules)
125#endif /* CONFIG_NET_PKT_FILTER_LOCAL_IN_HOOK */
126
127#ifdef CONFIG_NET_PKT_FILTER_IPV4_HOOK
128#define npf_insert_ipv4_recv_rule(rule) npf_insert_rule(&npf_ipv4_recv_rules, rule)
129#define npf_append_ipv4_recv_rule(rule) npf_append_rule(&npf_ipv4_recv_rules, rule)
130#define npf_remove_ipv4_recv_rule(rule) npf_remove_rule(&npf_ipv4_recv_rules, rule)
131#define npf_remove_all_ipv4_recv_rules() npf_remove_all_rules(&npf_ipv4_recv_rules)
132#endif /* CONFIG_NET_PKT_FILTER_IPV4_HOOK */
133
134#ifdef CONFIG_NET_PKT_FILTER_IPV6_HOOK
135#define npf_insert_ipv6_recv_rule(rule) npf_insert_rule(&npf_ipv6_recv_rules, rule)
136#define npf_append_ipv6_recv_rule(rule) npf_append_rule(&npf_ipv6_recv_rules, rule)
137#define npf_remove_ipv6_recv_rule(rule) npf_remove_rule(&npf_ipv6_recv_rules, rule)
138#define npf_remove_all_ipv6_recv_rules() npf_remove_all_rules(&npf_ipv6_recv_rules)
139#endif /* CONFIG_NET_PKT_FILTER_IPV6_HOOK */
140
195#define NPF_RULE(_name, _result, ...) \
196 struct npf_rule _name = { \
197 .result = (_result), \
198 .nb_tests = NUM_VA_ARGS_LESS_1(__VA_ARGS__) + 1, \
199 .tests = { FOR_EACH(Z_NPF_TEST_ADDR, (,), __VA_ARGS__) }, \
200 }
201
202#define Z_NPF_TEST_ADDR(arg) &arg.test
203
214struct npf_test_iface {
215 struct npf_test test;
216 struct net_if *iface;
217};
218
219extern npf_test_fn_t npf_iface_match;
220extern npf_test_fn_t npf_iface_unmatch;
221extern npf_test_fn_t npf_orig_iface_match;
222extern npf_test_fn_t npf_orig_iface_unmatch;
223
232#define NPF_IFACE_MATCH(_name, _iface) \
233 struct npf_test_iface _name = { \
234 .iface = (_iface), \
235 .test.fn = npf_iface_match, \
236 }
237
244#define NPF_IFACE_UNMATCH(_name, _iface) \
245 struct npf_test_iface _name = { \
246 .iface = (_iface), \
247 .test.fn = npf_iface_unmatch, \
248 }
249
256#define NPF_ORIG_IFACE_MATCH(_name, _iface) \
257 struct npf_test_iface _name = { \
258 .iface = (_iface), \
259 .test.fn = npf_orig_iface_match, \
260 }
261
268#define NPF_ORIG_IFACE_UNMATCH(_name, _iface) \
269 struct npf_test_iface _name = { \
270 .iface = (_iface), \
271 .test.fn = npf_orig_iface_unmatch, \
272 }
273
276struct npf_test_size_bounds {
277 struct npf_test test;
278 size_t min;
279 size_t max;
280};
281
282extern npf_test_fn_t npf_size_inbounds;
283
292#define NPF_SIZE_MIN(_name, _size) \
293 struct npf_test_size_bounds _name = { \
294 .min = (_size), \
295 .max = SIZE_MAX, \
296 .test.fn = npf_size_inbounds, \
297 }
298
305#define NPF_SIZE_MAX(_name, _size) \
306 struct npf_test_size_bounds _name = { \
307 .min = 0, \
308 .max = (_size), \
309 .test.fn = npf_size_inbounds, \
310 }
311
319#define NPF_SIZE_BOUNDS(_name, _min_size, _max_size) \
320 struct npf_test_size_bounds _name = { \
321 .min = (_min_size), \
322 .max = (_max_size), \
323 .test.fn = npf_size_inbounds, \
324 }
325
328struct npf_test_ip {
329 struct npf_test test;
330 uint8_t addr_family;
331 void *ipaddr;
332 uint32_t ipaddr_num;
333};
334
335extern npf_test_fn_t npf_ip_src_addr_match;
336extern npf_test_fn_t npf_ip_src_addr_unmatch;
337
352#define NPF_IP_SRC_ADDR_ALLOWLIST(_name, _ip_addr_array, _ip_addr_num, _af) \
353 struct npf_test_ip _name = { \
354 .addr_family = _af, \
355 .ipaddr = (_ip_addr_array), \
356 .ipaddr_num = _ip_addr_num, \
357 .test.fn = npf_ip_src_addr_match, \
358 }
359
372#define NPF_IP_SRC_ADDR_BLOCKLIST(_name, _ip_addr_array, _ip_addr_num, _af) \
373 struct npf_test_ip _name = { \
374 .addr_family = _af, \
375 .ipaddr = (_ip_addr_array), \
376 .ipaddr_num = _ip_addr_num, \
377 .test.fn = npf_ip_src_addr_unmatch, \
378 }
379
390struct npf_test_eth_addr {
391 struct npf_test test;
392 unsigned int nb_addresses;
393 struct net_eth_addr *addresses;
394 struct net_eth_addr mask;
395};
396
397extern npf_test_fn_t npf_eth_src_addr_match;
398extern npf_test_fn_t npf_eth_src_addr_unmatch;
399extern npf_test_fn_t npf_eth_dst_addr_match;
400extern npf_test_fn_t npf_eth_dst_addr_unmatch;
401
413#define NPF_ETH_SRC_ADDR_MATCH(_name, _addr_array) \
414 struct npf_test_eth_addr _name = { \
415 .addresses = (_addr_array), \
416 .nb_addresses = ARRAY_SIZE(_addr_array), \
417 .test.fn = npf_eth_src_addr_match, \
418 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
419 }
420
430#define NPF_ETH_SRC_ADDR_UNMATCH(_name, _addr_array) \
431 struct npf_test_eth_addr _name = { \
432 .addresses = (_addr_array), \
433 .nb_addresses = ARRAY_SIZE(_addr_array), \
434 .test.fn = npf_eth_src_addr_unmatch, \
435 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
436 }
437
447#define NPF_ETH_DST_ADDR_MATCH(_name, _addr_array) \
448 struct npf_test_eth_addr _name = { \
449 .addresses = (_addr_array), \
450 .nb_addresses = ARRAY_SIZE(_addr_array), \
451 .test.fn = npf_eth_dst_addr_match, \
452 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
453 }
454
464#define NPF_ETH_DST_ADDR_UNMATCH(_name, _addr_array) \
465 struct npf_test_eth_addr _name = { \
466 .addresses = (_addr_array), \
467 .nb_addresses = ARRAY_SIZE(_addr_array), \
468 .test.fn = npf_eth_dst_addr_unmatch, \
469 .mask.addr = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, \
470 }
471
482#define NPF_ETH_SRC_ADDR_MASK_MATCH(_name, _addr_array, ...) \
483 struct npf_test_eth_addr _name = { \
484 .addresses = (_addr_array), \
485 .nb_addresses = ARRAY_SIZE(_addr_array), \
486 .mask.addr = { __VA_ARGS__ }, \
487 .test.fn = npf_eth_src_addr_match, \
488 }
489
500#define NPF_ETH_DST_ADDR_MASK_MATCH(_name, _addr_array, ...) \
501 struct npf_test_eth_addr _name = { \
502 .addresses = (_addr_array), \
503 .nb_addresses = ARRAY_SIZE(_addr_array), \
504 .mask.addr = { __VA_ARGS__ }, \
505 .test.fn = npf_eth_dst_addr_match, \
506 }
507
510struct npf_test_eth_type {
511 struct npf_test test;
512 uint16_t type; /* type in network order */
513};
514
515extern npf_test_fn_t npf_eth_type_match;
516extern npf_test_fn_t npf_eth_type_unmatch;
517
526#define NPF_ETH_TYPE_MATCH(_name, _type) \
527 struct npf_test_eth_type _name = { \
528 .type = htons(_type), \
529 .test.fn = npf_eth_type_match, \
530 }
531
538#define NPF_ETH_TYPE_UNMATCH(_name, _type) \
539 struct npf_test_eth_type _name = { \
540 .type = htons(_type), \
541 .test.fn = npf_eth_type_unmatch, \
542 }
543
546#ifdef __cplusplus
547}
548#endif
549
550#endif /* ZEPHYR_INCLUDE_NET_PKT_FILTER_H_ */
ethernet.h
Ethernet.
net_verdict
net_verdict
Net Verdict.
Definition: net_core.h:98
npf_insert_rule
void npf_insert_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Insert a rule at the front of given rule list.
npf_remove_rule
bool npf_remove_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Remove a rule from the given rule list.
npf_remove_all_rules
bool npf_remove_all_rules(struct npf_rule_list *rules)
Remove all rules from the given rule list.
npf_local_in_recv_rules
struct npf_rule_list npf_local_in_recv_rules
rule list applied for local incoming packets
npf_send_rules
struct npf_rule_list npf_send_rules
rule list applied to outgoing packets
npf_default_drop
struct npf_rule npf_default_drop
Default rule list termination for rejecting a packet.
npf_recv_rules
struct npf_rule_list npf_recv_rules
rule list applied to incoming packets
npf_default_ok
struct npf_rule npf_default_ok
Default rule list termination for accepting a packet.
npf_ipv6_recv_rules
struct npf_rule_list npf_ipv6_recv_rules
rule list applied for IPv6 incoming packets
npf_ipv4_recv_rules
struct npf_rule_list npf_ipv4_recv_rules
rule list applied for IPv4 incoming packets
npf_append_rule
void npf_append_rule(struct npf_rule_list *rules, struct npf_rule *rule)
Append a rule at the end of given rule list.
sys_slist_t
struct _slist sys_slist_t
Single-linked list structure.
Definition: slist.h:49
sys_snode_t
struct _snode sys_snode_t
Single-linked list node structure.
Definition: slist.h:39
net_core.h
Network core definitions.
bool
#define bool
Definition: stdbool.h:13
uint32_t
__UINT32_TYPE__ uint32_t
Definition: stdint.h:90
uint8_t
__UINT8_TYPE__ uint8_t
Definition: stdint.h:88
uint16_t
__UINT16_TYPE__ uint16_t
Definition: stdint.h:89
k_spinlock
Kernel Spin Lock.
Definition: spinlock.h:45
net_if
Network Interface structure.
Definition: net_if.h:615
net_pkt
Network packet.
Definition: net_pkt.h:63
npf_rule_list
rule set for a given test location
Definition: net_pkt_filter.h:61
npf_rule_list::rule_head
sys_slist_t rule_head
Definition: net_pkt_filter.h:62
npf_rule_list::lock
struct k_spinlock lock
Definition: net_pkt_filter.h:63
npf_rule
filter rule structure
Definition: net_pkt_filter.h:48
npf_rule::nb_tests
uint32_t nb_tests
number of tests for this rule
Definition: net_pkt_filter.h:51
npf_rule::tests
struct npf_test * tests[]
pointers to npf_test instances
Definition: net_pkt_filter.h:52
npf_rule::result
enum net_verdict result
result if all tests pass
Definition: net_pkt_filter.h:50
npf_rule::node
sys_snode_t node
Definition: net_pkt_filter.h:49
npf_test
common filter test structure to be embedded into larger structures
Definition: net_pkt_filter.h:43
npf_test::fn
npf_test_fn_t * fn
packet condition test function
Definition: net_pkt_filter.h:44