apache
Add iptlite packet filter app
Summary
This merge request aims to add a lightweight packet filter to NuttX, called iptlite (iptables lite), which was based on Linux firewall, iptables and netfilter. This first implementation was focused on the essential commands, such as adding a drop rule based on the 4-tuple (source IPv4 address, destination IPv4 address, source port and destination port), flush all rules and list all rules, for all ingress TCP packets.
The implementation was divided in two parts: the iptlite app, the CLI to the user, and the nflite modules (netfilter lite), which will provide the APIs to the iptlite app, that can be seen in another MR on the incubator-nuttx repository.
This project was considered the third-best security tool in the XXII Brazilian Symposium on Information Security and Computer Systems, and the related paper was accepted by this conference as well.
Impact
This lightweight packet filter could be an additional security feature, especially in the IoT environment, allowing the users to adopt, for instance, a zero trust policy, consequently, denying all ingress packet filter, except by the preset ones.
Testing
In order to give more context about the implementation that it was made, this following link will show a quick video demo of the project.
Shall we isolate between iptlite(user space) and nflite(kernel space), using ioctl or setsockopt(iptables uses)?
Shall we isolate between iptlite(user space) and nflite(kernel space), using ioctl or setsockopt(iptables uses)?
We will look into the possibility of using one of these in our implementation. Then, I converted this PR to a draft in the meantime.
@duduita @wengzhe has developed an infrastructure for iptable, you may port filter functionality less effort now. Please reference the follow PR to learn the usage: https://github.com/apache/nuttx-apps/pull/1479 and https://github.com/apache/nuttx/pull/7989.
