apache · xiaoxiang781216 · Dec 28, 2022 · Dec 13, 2022
@@ -60,6 +60,18 @@
 #define IPT_TARGET(e) \
   ((FAR struct xt_entry_target *)((FAR uint8_t *)(e) + (e)->target_offset))
 
+/* Auto fill common fields of entry and target. */
+
+#define IPT_FILL_ENTRY(e, target_name) \
+  do \
+    { \
+      (e)->entry.target_offset = sizeof((e)->entry); \
+      (e)->entry.next_offset = sizeof(*(e)); \
+      (e)->target.target.u.target_size = sizeof(*(e)) - sizeof((e)->entry); \
+      strcpy((e)->target.target.u.user.name, (target_name)); \
+    } \
+  while(0)
+
 /****************************************************************************
  * Public Types
  ****************************************************************************/

@@ -27,6 +27,12 @@
 
 #include <sys/types.h>
 
+/****************************************************************************
+ * Pre-processor Definitions
+ ****************************************************************************/
+
+#define TABLE_NAME_NAT "nat"
+
 /****************************************************************************
  * Public Types
  ****************************************************************************/

@@ -330,6 +330,7 @@ menuconfig NET_6LOWPAN
 source "net/sixlowpan/Kconfig"
 source "net/ipforward/Kconfig"
 source "net/nat/Kconfig"
+source "net/netfilter/Kconfig"
 
 endmenu # Internet Protocol Selection
 

@@ -48,6 +48,7 @@ include ieee802154/Make.defs
 include devif/Make.defs
 include ipforward/Make.defs
 include nat/Make.defs
+include netfilter/Make.defs
 include route/Make.defs
 include procfs/Make.defs
 include usrsock/Make.defs

diff --git a/net/inet/Make.defs b/net/inet/Make.defs
@@ -31,7 +31,7 @@ SOCK_CSRCS += inet_globals.c
 endif
 
 ifeq ($(CONFIG_NET_IPv4),y)
-SOCK_CSRCS += ipv4_setsockopt.c ipv4_getsockname.c ipv4_getpeername.c ipv4_build_header.c
+SOCK_CSRCS += ipv4_setsockopt.c ipv4_getsockopt.c ipv4_getsockname.c ipv4_getpeername.c ipv4_build_header.c
 endif
 
 ifeq ($(CONFIG_NET_IPv6),y)

@@ -161,6 +161,38 @@ int ipv6_setsockopt(FAR struct socket *psock, int option,
                     FAR const void *value, socklen_t value_len);
 #endif
 
+/****************************************************************************
+ * Name: ipv4_getsockopt
+ *
+ * Description:
+ *   ipv4_getsockopt() retrieve the value for the option specified by the
+ *   'option' argument for the socket specified by the 'psock' argument.  If
+ *   the size of the option value is greater than 'value_len', the value
+ *   stored in the object pointed to by the 'value' argument will be silently
+ *   truncated. Otherwise, the length pointed to by the 'value_len' argument
+ *   will be modified to indicate the actual length of the 'value'.
+ *
+ *   See <netinet/in.h> for the a complete list of values of IPv4 protocol
+ *   socket options.
+ *
+ * Input Parameters:
+ *   psock     Socket structure of the socket to query
+ *   option    identifies the option to get
+ *   value     Points to the argument value
+ *   value_len The length of the argument value
+ *
+ * Returned Value:
+ *   Returns zero (OK) on success.  On failure, it returns a negated errno
+ *   value to indicate the nature of the error.  See psock_getsockopt() for
+ *   the list of possible error values.
+ *
+ ****************************************************************************/
+
+#ifdef CONFIG_NET_IPv4
+int ipv4_getsockopt(FAR struct socket *psock, int option,
+                    FAR void *value, FAR socklen_t *value_len);
+#endif
+
 /****************************************************************************
  * Name: ipv4_getsockname and ipv6_sockname
  *

@@ -739,19 +739,23 @@ static int inet_get_socketlevel_option(FAR struct socket *psock, int option,
 static int inet_getsockopt(FAR struct socket *psock, int level, int option,
                            FAR void *value, FAR socklen_t *value_len)
 {
-  if (level == SOL_SOCKET)
+  switch (level)
     {
-      return inet_get_socketlevel_option(psock, option, value, value_len);
-    }
+      case SOL_SOCKET:
+        return inet_get_socketlevel_option(psock, option, value, value_len);
+
 #ifdef CONFIG_NET_TCPPROTO_OPTIONS
-  else if (level == IPPROTO_TCP)
-    {
-      return tcp_getsockopt(psock, option, value, value_len);
-    }
+      case IPPROTO_TCP:
+        return tcp_getsockopt(psock, option, value, value_len);
 #endif
-  else
-    {
-      return -ENOPROTOOPT;
+
+#ifdef CONFIG_NET_IPv4
+      case IPPROTO_IP:
+        return ipv4_getsockopt(psock, option, value, value_len);
+#endif
+
+      default:
+        return -ENOPROTOOPT;
     }
 }
 

@@ -0,0 +1,97 @@
+/****************************************************************************
+ * net/inet/ipv4_getsockopt.c
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.  The
+ * ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the
+ * License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ ****************************************************************************/
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include <nuttx/config.h>
+
+#include <sys/types.h>
+#include <errno.h>
+#include <debug.h>
+
+#include <nuttx/net/net.h>
+
+#include <netinet/in.h>
+
+#include "netfilter/iptables.h"
+
+#ifdef CONFIG_NET_IPv4
+
+/****************************************************************************
+ * Public Functions
+ ****************************************************************************/
+
+/****************************************************************************
+ * Name: ipv4_getsockopt
+ *
+ * Description:
+ *   ipv4_getsockopt() retrieve the value for the option specified by the
+ *   'option' argument for the socket specified by the 'psock' argument.  If
+ *   the size of the option value is greater than 'value_len', the value
+ *   stored in the object pointed to by the 'value' argument will be silently
+ *   truncated. Otherwise, the length pointed to by the 'value_len' argument
+ *   will be modified to indicate the actual length of the 'value'.
+ *
+ *   See <netinet/in.h> for the a complete list of values of IPv4 protocol
+ *   socket options.
+ *
+ * Input Parameters:
+ *   psock     Socket structure of the socket to query
+ *   option    identifies the option to get
+ *   value     Points to the argument value
+ *   value_len The length of the argument value
+ *
+ * Returned Value:
+ *   Returns zero (OK) on success.  On failure, it returns a negated errno
+ *   value to indicate the nature of the error.  See psock_getsockopt() for
+ *   the list of possible error values.
+ *
+ ****************************************************************************/
+
+int ipv4_getsockopt(FAR struct socket *psock, int option,
+                    FAR void *value, FAR socklen_t *value_len)
+{
+  int ret;
+
+  ninfo("option: %d\n", option);
+
+  net_lock();
+  switch (option)
+    {
+#ifdef CONFIG_NET_IPTABLES
+      case IPT_SO_GET_INFO:
+      case IPT_SO_GET_ENTRIES:
+        ret = ipt_getsockopt(psock, option, value, value_len);
+        break;
+#endif
+
+      default:
+        nerr("ERROR: Unrecognized IPv4 option: %d\n", option);
+        ret = -ENOPROTOOPT;
+        break;
+    }
+
+  net_unlock();
+  return ret;
+}
+
+#endif /* CONFIG_NET_IPv4 */
@@ -34,6 +34,7 @@
 #include <netinet/in.h>
 
 #include "netdev/netdev.h"
+#include "netfilter/iptables.h"
 #include "igmp/igmp.h"
 #include "inet/inet.h"
 #include "udp/udp.h"
@@ -261,6 +262,12 @@ int ipv4_setsockopt(FAR struct socket *psock, int option,
         break;
 #endif
 
+#ifdef CONFIG_NET_IPTABLES
+      case IPT_SO_SET_REPLACE:
+        ret = ipt_setsockopt(psock, option, value, value_len);
+        break;
+#endif
+
       default:
         nerr("ERROR: Unrecognized IPv4 option: %d\n", option);
         ret = -ENOPROTOOPT;

@@ -0,0 +1,13 @@
+#
+# For a description of the syntax of this configuration file,
+# see the file kconfig-language.txt in the NuttX tools repository.
+#
+
+config NET_IPTABLES
+	bool "Iptables Interface"
+	default y
+	depends on NET_IPv4
+	depends on NET_SOCKOPTS
+	depends on NET_NAT  # May change dependency if we have firewall later.
+	---help---
+		Enable or disable iptables compatible interface (for NAT).
diff --git a/net/netfilter/Make.defs b/net/netfilter/Make.defs
@@ -0,0 +1,36 @@
+############################################################################
+# net/netfilter/Make.defs
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.  The
+# ASF licenses this file to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance with the
+# License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+############################################################################
+
+# Netfilter source files
+
+ifeq ($(CONFIG_NET_IPTABLES),y)
+
+NET_CSRCS += ipt_sockopt.c
+
+ifeq ($(CONFIG_NET_NAT),y)
+NET_CSRCS += ipt_nat.c
+endif
+
+# Include Netfilter build support
+
+DEPPATH += --dep-path netfilter
+VPATH += :netfilter
+
+endif