You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@nuttx.apache.org by GitBox <gi...@apache.org> on 2022/11/07 00:54:59 UTC

[GitHub] [incubator-nuttx-apps] duduita opened a new pull request, #1399: Add iptlite packet filter app

duduita opened a new pull request, #1399:
URL: https://github.com/apache/incubator-nuttx-apps/pull/1399

   ## Summary
   This merge request aims to add a lightweight packet filter to NuttX, called iptlite (iptables lite), which was based on Linux firewall, iptables and netfilter. This first implementation was focused on the essential commands, such as adding a drop rule based on the 4-tuple (source IP address, destination IP address, source port and destination port), flush all rules and list all rules, for all ingress TCP packets.
   
   The implementation was divided in two parts: the iptlite app, the CLI to the user, and the nflite modules (netfilter lite), which will provide the APIs to the iptlite app, that can be seen in another MR on the incubator-nuttx repository.
   
   This project was considered the third-best security tool in the XXII Brazilian Symposium on Information Security and Computer Systems, and the [related paper](https://sol.sbc.org.br/index.php/sbseg_estendido/article/view/21705) was accepted by this conference as well.
   
   ## Impact
   This lightweight packet filter could be an additional security feature, especially in the IoT environment, allowing the users to adopt, for instance, a zero trust policy, consequently, denying all ingress packet filter, except by the preset ones.
   
   ## Testing
   In order to give more context about the implementation that it was made, this following link will show a [quick video demo](https://drive.google.com/file/d/18mRSa_Vd_XRkorHnBmdGTAF5x2dykjLR/view) of the project.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-nuttx-apps] pkarashchenko commented on a diff in pull request #1399: Add iptlite packet filter app

Posted by GitBox <gi...@apache.org>.

pkarashchenko commented on code in PR #1399:
URL: https://github.com/apache/incubator-nuttx-apps/pull/1399#discussion_r1015156214


##########
netutils/iptlite/iptlite_main.c:
##########
@@ -0,0 +1,94 @@
+/****************************************************************************
+ * apps/netutils/iptlite/iptlite_main.c
+ * iptlite networking application
+ ****************************************************************************/
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include "../../../nuttx/net/devif/devif.h"
+#include <nuttx/config.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdbool.h>
+
+/****************************************************************************
+ * Private Functions
+ ****************************************************************************/
+
+void listall_rules(void)
+{
+  int rules_counter = nflite_get_rules_counter();
+  char** table = nflite_listall();
+
+  printf("%3s %10s %16s %16s %9s %9s\n", \
+  "ID", "RULE", "SRC IPADDR", "DEST IPADDR", "SRC PORT", "DEST PORT");
+
+  for (int i = 0; i < rules_counter; i++)
+    {
+      for (int j = 0; j < RULE_INFO_MAX_SIZE; j++)
+        {
+          printf("%c", table[i][j]);
+        }
+
+      printf("\n");
+    }
+}
+
+void add_rule(int rule, char * srcip, char * destip, char * srcprt, \
+char * destprt)
+{
+  in_addr_t srcipaddr, destipaddr;
+  in_port_t srcport, destport;

Review Comment:
   ```suggestion
     in_addr_t srcipaddr;
     in_addr_t destipaddr;
     in_port_t srcport;
     in_port_t destport;
   ```



##########
netutils/iptlite/iptlite_main.c:
##########
@@ -0,0 +1,94 @@
+/****************************************************************************
+ * apps/netutils/iptlite/iptlite_main.c
+ * iptlite networking application
+ ****************************************************************************/
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include "../../../nuttx/net/devif/devif.h"
+#include <nuttx/config.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdbool.h>
+
+/****************************************************************************
+ * Private Functions
+ ****************************************************************************/
+
+void listall_rules(void)
+{
+  int rules_counter = nflite_get_rules_counter();
+  char** table = nflite_listall();
+
+  printf("%3s %10s %16s %16s %9s %9s\n", \
+  "ID", "RULE", "SRC IPADDR", "DEST IPADDR", "SRC PORT", "DEST PORT");
+
+  for (int i = 0; i < rules_counter; i++)
+    {
+      for (int j = 0; j < RULE_INFO_MAX_SIZE; j++)
+        {
+          printf("%c", table[i][j]);
+        }
+
+      printf("\n");
+    }
+}
+
+void add_rule(int rule, char * srcip, char * destip, char * srcprt, \
+char * destprt)

Review Comment:
   ```suggestion
   void add_rule(int rule, FAR char *srcip, FAR char *destip, FAR char *srcprt, 
                 FAR char *destprt)
   ```



##########
netutils/iptlite/iptlite_main.c:
##########
@@ -0,0 +1,94 @@
+/****************************************************************************
+ * apps/netutils/iptlite/iptlite_main.c
+ * iptlite networking application
+ ****************************************************************************/
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include "../../../nuttx/net/devif/devif.h"
+#include <nuttx/config.h>
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdbool.h>
+
+/****************************************************************************
+ * Private Functions
+ ****************************************************************************/
+
+void listall_rules(void)
+{
+  int rules_counter = nflite_get_rules_counter();
+  char** table = nflite_listall();

Review Comment:
   ```suggestion
     FAR char** table = nflite_listall();
   ```



##########
netutils/iptlite/iptlite_main.c:
##########
@@ -0,0 +1,94 @@
+/****************************************************************************

Review Comment:
   license header is missing



##########
netutils/iptlite/iptlite_main.c:
##########
@@ -0,0 +1,94 @@
+/****************************************************************************
+ * apps/netutils/iptlite/iptlite_main.c
+ * iptlite networking application
+ ****************************************************************************/
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include "../../../nuttx/net/devif/devif.h"

Review Comment:
   Can we somehow overcome this?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-nuttx-apps] wengzhe commented on pull request #1399: Add iptlite packet filter app

Posted by GitBox <gi...@apache.org>.

wengzhe commented on PR #1399:
URL: https://github.com/apache/incubator-nuttx-apps/pull/1399#issuecomment-1305037536

   Shall we isolate between iptlite(user space) and nflite(kernel space), using ioctl or setsockopt(iptables uses)?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [nuttx-apps] xiaoxiang781216 commented on pull request #1399: Add iptlite packet filter app

Posted by GitBox <gi...@apache.org>.

xiaoxiang781216 commented on PR #1399:
URL: https://github.com/apache/nuttx-apps/pull/1399#issuecomment-1367427338

   @duduita @wengzhe has developed an infrastructure for iptable, you may port filter functionality less effort now. Please reference the follow PR to learn the usage: https://github.com/apache/nuttx-apps/pull/1479 and https://github.com/apache/nuttx/pull/7989.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-nuttx-apps] duduita commented on pull request #1399: Add iptlite packet filter app

Posted by GitBox <gi...@apache.org>.

duduita commented on PR #1399:
URL: https://github.com/apache/incubator-nuttx-apps/pull/1399#issuecomment-1305989956

   > Shall we isolate between iptlite(user space) and nflite(kernel space), using ioctl or setsockopt(iptables uses)?
   
   We will look into the possibility of using one of these in our implementation. Then, I converted this PR to a draft in the meantime.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org