Add iptlite packet filter app

[duduita]

Summary

This merge request aims to add a lightweight packet filter to NuttX, called iptlite (iptables lite), which was based on Linux firewall, iptables and netfilter. This first implementation was focused on the essential commands, such as adding a drop rule based on the 4-tuple (source IPv4 address, destination IPv4 address, source port and destination port), flush all rules and list all rules, for all ingress TCP packets.

The implementation was divided in two parts: the iptlite app, the CLI to the user, and the nflite modules (netfilter lite), which will provide the APIs to the iptlite app, that can be seen in another MR on the incubator-nuttx repository.

This project was considered the third-best security tool in the XXII Brazilian Symposium on Information Security and Computer Systems, and the related paper was accepted by this conference as well.

Impact

This lightweight packet filter could be an additional security feature, especially in the IoT environment, allowing the users to adopt, for instance, a zero trust policy, consequently, denying all ingress packet filter, except by the preset ones.

Testing

In order to give more context about the implementation that it was made, this following link will show a quick video demo of the project.

[wengzhe]

Shall we isolate between iptlite(user space) and nflite(kernel space), using ioctl or setsockopt(iptables uses)?

[pkarashchenko]

Suggested change

	void add_rule(int rule, char * srcip, char * destip, char * srcprt, \
	char * destprt)
	void add_rule(int rule, FAR char *srcip, FAR char *destip, FAR char *srcprt,
	FAR char *destprt)

[pkarashchenko]

Suggested change

	in_addr_t srcipaddr, destipaddr;
	in_port_t srcport, destport;
	in_addr_t srcipaddr;
	in_addr_t destipaddr;
	in_port_t srcport;
	in_port_t destport;

[pkarashchenko]

Suggested change

	char** table = nflite_listall();
	FAR char** table = nflite_listall();

[pkarashchenko]

Can we somehow overcome this?

[pkarashchenko]

license header is missing

[duduita]

Shall we isolate between iptlite(user space) and nflite(kernel space), using ioctl or setsockopt(iptables uses)?

We will look into the possibility of using one of these in our implementation. Then, I converted this PR to a draft in the meantime.

[xiaoxiang781216]

@duduita @wengzhe has developed an infrastructure for iptable, you may port filter functionality less effort now. Please reference the follow PR to learn the usage: #1479 and apache/nuttx#7989.

[cederom]

ping :-)

[acassis]

@xiaoxiang781216 @wengzhe do we need this PR or is there already some alternative way to do it on NuttX?
Seems like there is a https://nuttx.apache.org/docs/latest/applications/system/iptables/index.html without documentation

[xiaoxiang781216]

@xiaoxiang781216 @wengzhe do we need this PR or is there already some alternative way to do it on NuttX? Seems like there is a https://nuttx.apache.org/docs/latest/applications/system/iptables/index.html without documentation

this patch doesn't consider protected/kernel mode, call the kernel function directly. Before the owner cover the change to the new iptable framework, this patch shouldn't merge.

[linguini1]

@duduita any plans to continue with this PR? Otherwise I think we will close it since it's been 3 years.