samples: net: pkt_filter: Add IPv4/6 address blocklist

Add information how to block IPv4 or IPv6 addresses.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>

Author: jukkar

samples/net/pkt_filter/README.rst

@@ -61,6 +61,8 @@ In network shell, you can monitor the network packet filters:
    [ 4]  recv        OK             N/A    N/A          N/A  2    iface[2],eth vlan type[0x0806]
    [ 5]  recv        OK             N/A    N/A          N/A  2    iface[3],eth vlan type[0x0806]
    [ 6]  recv        DROP           N/A    N/A          N/A  0
+   [ 7]  IPv4 recv   OK             N/A    N/A          N/A  1    ip src block[192.0.2.2,198.51.100.2]
+   [ 8]  IPv6 recv   OK             N/A    N/A          N/A  1    ip src block[2001:db8::2,2001:db8::100:2]
 
 The above sample application network packet filter rules can be interpreted
 like this:
@@ -80,6 +82,10 @@ like this:
 * Rule 6: Drop all other packets. This also means that IPv6 packets are
   dropped.
 
+* Rule 7: Drop IPv4 packets where the source address is either ``192.0.2.2`` or ``198.51.100.2``.
+
+* Rule 8: Drop IPv6 packets where the source address is either ``2001:db8::2`` or ``2001:db8::100:2``.
+
 If you enable network packet priority option :kconfig:option:`CONFIG_NET_SAMPLE_USE_PACKET_PRIORITIES`
 then the sample will install extra rules for setting up the priorities.
 
@@ -96,13 +102,15 @@ then the sample will install extra rules for setting up the priorities.
    [ 9]  recv        OK             N/A    N/A          N/A  2    iface[2],eth vlan type[0x0806]
    [10]  recv        OK             N/A    N/A          N/A  2    iface[3],eth vlan type[0x0806]
    [11]  recv        DROP           N/A    N/A          N/A  0
+   [12]  IPv4 recv   OK             N/A    N/A          N/A  1    ip src block[192.0.2.2,198.51.100.2]
+   [13]  IPv6 recv   OK             N/A    N/A          N/A  1    ip src block[2001:db8::2,2001:db8::100:2]
 
 The above sample application network packet filter rules can be interpreted
 like this:
 
 * Rules 1 - 5: Add rules to set network packet priority to certain type packets.
 
-* Rule 6 - 11: These are the same as in previous rule list.
+* Rule 6 - 13: These are the same as in previous rule list.
 
 The network statistics can be used to see that the packets are dropped.
 Use ``net stats`` command to monitor statistics.

samples/net/pkt_filter/src/main.c

@@ -59,6 +59,33 @@ static NPF_RULE(arp_pkt_vlan2, NET_OK, match_iface_vlan2, match_arp_vlan);
 static NPF_PRIORITY(arp_priority_vlan1, NET_PRIORITY_BK, match_iface_vlan1, match_arp_vlan);
 static NPF_PRIORITY(arp_priority_vlan2, NET_PRIORITY_BK, match_iface_vlan2, match_arp_vlan);
 
+/* Block IPv4 or IPv6 packets from only these addresses */
+#define PEER1_IPV4_ADDR_INIT {{{ 192, 0, 2, 2 }}}
+#define PEER2_IPV4_ADDR_INIT {{{ 198, 51, 100, 2 }}}
+#define PEER1_IPV6_ADDR_INIT \
+	{{{ 0x20, 0x01, 0x0d, 0xb8, 0, 0, 0, 0,	0, 0, 0, 0, 0, 0, 0, 0x02 }}}
+#define PEER2_IPV6_ADDR_INIT \
+	{{{ 0x20, 0x01, 0x0d, 0xb8, 0, 0, 0, 0,	0, 0, 0, 0, 0x1, 0, 0, 0x02 }}}
+
+static struct net_in_addr peer_ipv4_addr[] = {
+	[0] = PEER1_IPV4_ADDR_INIT,
+	[1] = PEER2_IPV4_ADDR_INIT,
+};
+
+static struct net_in6_addr peer_ipv6_addr[] = {
+	[0] = PEER1_IPV6_ADDR_INIT,
+	[1] = PEER2_IPV6_ADDR_INIT,
+};
+
+static NPF_IP_SRC_ADDR_BLOCKLIST(ipv4_src_block,
+				 peer_ipv4_addr, ARRAY_SIZE(peer_ipv4_addr),
+				 NET_AF_INET);
+static NPF_IP_SRC_ADDR_BLOCKLIST(ipv6_src_block,
+				 peer_ipv6_addr, ARRAY_SIZE(peer_ipv6_addr),
+				 NET_AF_INET6);
+static NPF_RULE(ipv4_addr_block, NET_OK, ipv4_src_block);
+static NPF_RULE(ipv6_addr_block, NET_OK, ipv6_src_block);
+
 static void iface_cb(struct net_if *iface, void *user_data)
 {
 	int count = 0;
@@ -116,7 +143,7 @@ static void init_app(void)
 	/* The sample will setup the Ethernet interface and two VLAN
 	 * optional interfaces (if VLAN is enabled).
 	 * We allow all traffic to the Ethernet interface, but have
-	 * filters for the VLAN interfaces.
+	 * filters for the VLAN interfaces and check IPv4 and IPv6 source addresses.
 	 *
 	 * First append the priority rules, so that they get evaluated before
 	 * deciding on the final verdict for the packet.
@@ -142,6 +169,12 @@ static void init_app(void)
 
 	/* The remaining packets that do not match are dropped */
 	npf_append_recv_rule(&npf_default_drop);
+
+	/* We block packets from specific IPv4 addresses */
+	npf_append_ipv4_recv_rule(&ipv4_addr_block);
+
+	/* We block packets from specific IPv6 addresses */
+	npf_append_ipv6_recv_rule(&ipv6_addr_block);
 }
 
 int main(void)