Documentation: Add docs for ipfilter

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>

Documentation/components/net/index.rst

@@ -8,6 +8,7 @@ Network Support
   sixlowpan.rst
   socketcan.rst
   pkt.rst
+  ipfilter.rst
   nat.rst
   netdev.rst
   netdriver.rst

Documentation/components/net/ipfilter.rst

@@ -0,0 +1,125 @@
+================
+IP Packet Filter
+================
+
+NuttX supports IP packet filter (firewall) compatible with Linux's iptables and
+netfilter. It is a stateless packet filter that can be used to filter packets
+based on source and destination IP addresses, source and destination ports,
+protocol, and interface.
+
+Workflow
+========
+
+Similar to Linux's iptables, NuttX's IP packet filter defines chains at similar
+points in the packet processing path. The following diagram shows the packet
+processing path and the chains that are defined in NuttX's IP packet filter.
+
+::
+
+   NIC ──> ipv[46]_input ─┬─> ipv[46]_forward ──> [FORWARD CHAIN] ──> devif_poll_out ──> NIC
+                          │                                                 ^
+                          │                  ┌─>  tcp  ─┐                   │
+                          │                  ├─>  udp  ─┤                   │
+                          └─> [INPUT CHAIN] ─┼─> icmp  ─┼─> [OUTPUT CHAIN] ─┘
+                                             ├─> icmp6 ─┤
+                                             └─>  ...  ─┘
+
+Configuration Options
+=====================
+
+``CONFIG_NET_IPFILTER``
+  Enable this option to enable the IP packet filter (firewall).
+
+``CONFIG_NET_IPTABLES``
+  Enable or disable iptables compatible interface (including ip6tables).
+
+``CONFIG_SYSTEM_IPTABLES``
+  Enable support for the 'iptables' command.
+
+``CONFIG_SYSTEM_IP6TABLES``
+  Enable support for the 'ip6tables' command.
+
+Usage
+=====
+
+With `iptables` command, we can add, delete, and list rules in the IP packet
+filter. It's similar to the `iptables` command in Linux.
+
+The following examples show the commands we support:
+
+..  code-block:: shell
+
+  > iptables -h
+
+  USAGE: iptables -t table -[AD] chain rule-specification
+         iptables -t table -I chain [rulenum] rule-specification
+         iptables -t table -D chain rulenum
+         iptables -t table -P chain target
+         iptables -t table -[FL] [chain]
+
+  Commands:
+      --append        -A chain            Append a rule to chain
+      --insert        -I chain [rulenum]  Insert a rule to chain at rulenum (default = 1)
+      --delete        -D chain [rulenum]  Delete matching rule from chain
+      --policy        -P chain target     Set policy for chain to target
+      --flush         -F [chain]          Delete all rules in chain or all chains
+      --list          -L [chain]          List all rules in chain or all chains
+
+  Options:
+      --table         -t table            Table to manipulate (default: filter)
+      --jump          -j target           Target for rule
+  [!] --in-interface  -i dev              Input network interface name
+  [!] --out-interface -o dev              Output network interface name
+  [!] --source        -s address[/mask]   Source address
+  [!] --destination   -d address[/mask]   Destination address
+  [!] --protocol      -p proto            Protocol (tcp, udp, icmp, esp, all)
+  [!] --source-port,--sport
+                         port[:port]      Source port
+  [!] --destination-port,--dport
+                         port[:port]      Destination port
+  [!] --icmp-type        type             ICMP type
+  [!] --icmpv6-type      type             ICMPv6 type
+
+..  code-block:: shell
+
+  > iptables -P FORWARD DROP
+  > iptables -I INPUT -i eth0 ! -p icmp -j DROP
+  > iptables -t filter -A FORWARD -p tcp -s 10.0.1.2/24 -d 10.0.3.4/24 -i eth0 -o eth1 --sport 3000:3200 --dport 123:65535 -j ACCEPT
+  > iptables -t filter -I FORWARD 2 -p icmp ! -s 123.123.123.123 ! -i eth0 -o eth1 ! --icmp-type 255 -j REJECT
+
+  > iptables -L
+  Chain INPUT (policy ACCEPT)
+  target        prot  idev  odev  source              destination
+  DROP         !icmp  eth0  any   anywhere            anywhere
+
+  Chain FORWARD (policy DROP)
+  target        prot  idev  odev  source              destination
+  ACCEPT        tcp   eth0  eth1  10.0.1.2/24         10.0.3.4/24        tcp spts:3000:3200 dpts:123:65535
+  REJECT        icmp !eth0  eth1 !123.123.123.123/32  anywhere           icmp !type 255
+
+  Chain OUTPUT (policy ACCEPT)
+  target        prot  idev  odev  source              destination
+
+..  code-block:: shell
+
+  > ip6tables -P FORWARD DROP
+  > ip6tables -t filter -I FORWARD -p tcp -s fc00::2/64 -d 2001:da8::2:4/64 -i eth0 -o eth1 --sport 3000:3200 --dport 123:65535 -j ACCEPT
+  > ip6tables -t filter -I FORWARD -p icmpv6 -s fc00::2/64 -d 2001:da8::2:4/64 -i eth0 -o eth1 --icmpv6-type 123 -j ACCEPT
+  > ip6tables -t filter -I FORWARD -p tcp -i eth0 -o eth1 --sport 3000 -j ACCEPT
+  > ip6tables -t filter -I FORWARD 1 ! -p tcp ! -s fc00::2/64 ! -d 2001:da8::2:4/64 ! -i eth0 ! -o eth1 ! --sport 3000:3200 ! --dport 0:123 -j DROP
+  > ip6tables -t filter -I FORWARD 3 ! -p icmpv6 ! -s fc00::2/64 -d 2001:da8::2:4/64 ! -i eth0 -o eth1 ! --icmpv6-type 255 -j REJECT
+
+  > ip6tables -L
+  Chain INPUT (policy ACCEPT)
+  target        prot  idev  odev  source              destination
+
+  Chain FORWARD (policy DROP)
+  target        prot  idev  odev  source              destination
+  DROP         !tcp  !eth0 !eth1 !fc00::2/64         !2001:da8::2:4/64   tcp spts:!3000:3200 dpts:!0:123
+  ACCEPT        tcp   eth0  eth1  anywhere            anywhere           tcp spts:3000:3000 dpts:0:65535
+  REJECT       !ipv6-icmp !eth0  eth1 !fc00::2/64          2001:da8::2:4/64   ipv6-icmp !type 255
+  ACCEPT        ipv6-icmp  eth0  eth1  fc00::2/64          2001:da8::2:4/64   ipv6-icmp type 123
+  ACCEPT        tcp   eth0  eth1  fc00::2/64          2001:da8::2:4/64   tcp spts:3000:3200 dpts:123:65535
+
+  Chain OUTPUT (policy ACCEPT)
+  target        prot  idev  odev  source              destination