net: introduce a network packet filter framework

This provides the infrastructure to create network packet filter rules
and to apply them to the RX and TX packet paths. Rules are made of
simple condition tests that can be linked together, creating a facility
similarly to the Linux iptables functionality.

A couple of generic and Ethernet-specific condition tests are also
provided.

Additional tests can be easily created on top of this.

Signed-off-by: Nicolas Pitre <[email protected]>

Author: Nicolas Pitre

CODEOWNERS

@@ -568,6 +568,7 @@
 /include/net/coap*.h                      @rlubos
 /include/net/lwm2m*.h                     @rlubos
 /include/net/mqtt.h                       @rlubos
+/include/net/net_pkt_filter.h             @npitre
 /include/posix/                           @pfalcon
 /include/pm/pm.h                          @nashif @ceolin
 /include/drivers/ptp_clock.h              @tbursztyka
@@ -719,6 +720,7 @@
 /subsys/net/lib/tls_credentials/          @rlubos
 /subsys/net/l2/                           @rlubos @tbursztyka
 /subsys/net/l2/canbus/                    @alexanderwachter
+/subsys/net/pkt_filter/                   @npitre
 /subsys/net/*/openthread/                 @rlubos
 /subsys/pm/                               @nashif @ceolin
 /subsys/random/                           @dleach02
@@ -760,6 +762,7 @@
 /tests/net/lib/http_header_fields/        @rlubos @tbursztyka
 /tests/net/lib/mqtt_packet/               @rlubos
 /tests/net/lib/coap/                      @rlubos
+/tests/net/npf/                           @npitre
 /tests/net/socket/socketpair/             @cfriedt
 /tests/net/socket/                        @rlubos @tbursztyka @pfalcon
 /tests/subsys/debug/coredump/             @dcpleung

doc/reference/networking/net_pkt_filter.rst

@@ -0,0 +1,96 @@
+.. _net_pkt_filter_interface:
+
+Network Packet Filtering
+########################
+
+.. contents::
+    :local:
+    :depth: 2
+
+Overview
+********
+
+The Network Packet Filtering facility provides the infrastructure to
+construct custom rules for accepting and/or denying packet transmission
+and reception. This can be used to create a basic firewall, control
+network traffic, etc.
+
+The :kconfig:`CONFIG_NET_PKT_FILTER` must be set in order to enable the
+relevant APIs.
+
+Both the transmission and reception paths may have a list of filter rules.
+Each rule is made of a set of conditions and a packet outcome. Every packet
+is subjected to the conditions attached to a rule. When all the conditions
+for a given rule are true then the packet outcome is immediately determined
+as specified by the current rule and no more rules are considered. If one
+condition is false then the next rule in the list is considered.
+
+Packet outcome is either ``NET_OK`` to accept the packet or ``NET_DROP`` to
+drop it.
+
+A rule is represented by a :c:struct:`npf_rule` object. It can be inserted to,
+appended to or removed from a rule list contained in a
+:c:struct:`npf_rule_list` object using :c:func:`npf_insert_rule()`,
+:c:func:`npf_append_rule()`, and :c:func:`npf_remove_rule()`.
+Currently, two such rule lists exist: ``npf_send_rules`` for outgoing packets,
+and ``npf_recv_rules`` for incoming packets.
+
+If a filter rule list is empty then ``NET_OK`` is assumed. If a non-empty
+rule list runs to the end then ``NET_DROP`` is assumed. However it is
+recommended to always terminate a non-empty rule list with an explicit
+default termination rule, either ``npf_default_ok`` or ``npf_default_drop``.
+
+Rule conditions are represented by a :c:struct:`npf_test`. This structure
+can be embedded into a larger structure when a specific condition requires
+extra test data. It is up to the test function for such conditions to
+retrieve the outer structure from the provided ``npf_test`` structure pointer.
+
+Convenience macros are provided in :zephyr_file:`include/net/net_pkt_filter.h`
+to statically define condition instances for various conditions, and
+:c:macro:`NPF_RULE()` to create a rule instance to tie them.
+
+Examples
+********
+
+Here's an example usage:
+
+.. code-block:: c
+
+    static NPF_SIZE_MAX(maxsize_200, 200);
+    static NPF_ETH_TYPE_MATCH(ip_packet, NET_ETH_PTYPE_IP);
+
+    static NPF_RULE(small_ip_pkt, NET_OK, ip_packet, maxsize_200);
+
+    void install_my_filter(void)
+    {
+        npf_insert_recv_rule(&npf_default_drop);
+        npf_insert_recv_rule(&small_ip_pkt);
+    }
+
+The above would accept IP packets that are 200 bytes or smaller, and drop
+all other packets.
+
+Another (less efficient) way to achieve the same result could be:
+
+.. code-block:: c
+
+    static NPF_SIZE_MIN(minsize_201, 201);
+    static NPF_ETH_TYPE_UNMATCH(not_ip_packet, NET_ETH_PTYPE_IP);
+
+    static NPF_RULE(reject_big_pkts, NET_DROP, minsize_201);
+    static NPF_RULE(reject_non_ip, NET_DROP, not_ip_packet);
+
+    void install_my_filter(void) {
+        npf_append_recv_rule(&reject_big_pkts);
+        npf_append_recv_rule(&reject_non_ip);
+        npf_append_recv_rule(&npf_default_ok);
+    }
+
+API Reference
+*************
+
+.. doxygengroup:: net_pkt_filter
+
+.. doxygengroup:: npf_basic_cond
+
+.. doxygengroup:: npf_eth_cond

doc/reference/networking/system_mgmt.rst

@@ -16,4 +16,5 @@ Network System Management
    net_linkaddr.rst
    ethernet_mgmt.rst
    traffic-class.rst
+   net_pkt_filter.rst
    net_shell.rst

include/net/net_pkt.h

@@ -1212,6 +1212,29 @@ static inline bool net_pkt_is_being_overwritten(struct net_pkt *pkt)
 	return pkt->overwrite;
 }
 
+#ifdef CONFIG_NET_PKT_FILTER
+
+bool net_pkt_filter_send_ok(struct net_pkt *pkt);
+bool net_pkt_filter_recv_ok(struct net_pkt *pkt);
+
+#else
+
+static inline bool net_pkt_filter_send_ok(struct net_pkt *pkt)
+{
+	ARG_UNUSED(pkt);
+
+	return true;
+}
+
+static inline bool net_pkt_filter_recv_ok(struct net_pkt *pkt)
+{
+	ARG_UNUSED(pkt);
+
+	return true;
+}
+
+#endif /* CONFIG_NET_PKT_FILTER */
+
 /* @endcond */
 
 /**