Skip to content

doc: net: Enhance network packet filtering documentation #100724

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jukkar wants to merge 1 commit into
base: main
Choose a base branch
from
Open

doc: net: Enhance network packet filtering documentation #100724

jukkar wants to merge 1 commit into from
+20 −2

Conversation

@jukkar
Copy link
Member

@jukkar jukkar commented Dec 9, 2025

Add more information to network packet filter documentation to make it more useful to end users.

Fixes #100464

@jukkar jukkar mentioned this pull request Dec 9, 2025
Open
1 task
@jukkar jukkar requested a review from kartben December 9, 2025 09:45
rlubos
rlubos previously approved these changes Dec 9, 2025
View reviewed changes
kartben
kartben previously approved these changes Dec 9, 2025
View reviewed changes
doc/connectivity/networking/api/net_pkt_filter.rst Outdated
Currently, two such rule lists exist: ``npf_send_rules`` for outgoing packets,
and ``npf_recv_rules`` for incoming packets.

There are different set of rules for different layers in the network stack.
Copy link
Contributor

@kartben kartben Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
There are different set of rules for different layers in the network stack.
There are different sets of rules for different layers in the network stack.

doc/connectivity/networking/api/net_pkt_filter.rst Outdated
:c:macro:`NPF_RULE()` and :c:macro:`NPF_PRIORITY()` to create a rule instance
with an immediate outcome or a priority change.

See also :zephyr:code-sample:`net-pkt-filter` sample for an example how to create and
Copy link
Contributor

@kartben kartben Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
See also :zephyr:code-sample:`net-pkt-filter` sample for an example how to create and
See also :zephyr:code-sample:`net-pkt-filter` sample for an example of how to create and

@jukkar
doc: net: Enhance network packet filtering documentation
ff7c01f 
Add more information to network packet filter documentation to
make it more useful to end users.

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
@jukkar jukkar dismissed stale reviews from kartben and rlubos via ff7c01f December 9, 2025 10:20
@jukkar jukkar force-pushed the fix/100464/enhance-npf-docs branch from a1f9b81 to ff7c01f Compare December 9, 2025 10:20
@jukkar
Copy link
Member Author

jukkar commented Dec 9, 2025

  • Updated according to comments

@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 9, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@zagor
Copy link
Contributor

zagor commented Dec 9, 2025

This adds much-needed information. Can we also add to one or more examples a call to create/add an L3 or L4 rule? Currently the examples only contain L2 rules.

@jukkar
Copy link
Member Author

jukkar commented Dec 9, 2025

Can we also add to one or more examples a call to create/add an L3 or L4 rule? Currently the examples only contain L2 rules.

I added a link to the pkt_filter sample which contains examples of L3 rules and handling. The problem with inline examples is that they bit rot easily because they are not compile tested. The sample should stay up to date if things around in net stack changes. Would the code examples in the sample be enough for the end user, WDYT?

@zagor
Copy link
Contributor

zagor commented Dec 9, 2025
edited
Loading

I added a link to the pkt_filter sample which contains examples of L3 rules and handling.

Does it? It only calls npf_append_recv_rule(), which adds a rule to the npf_recv_rules L2 rule list doesn't it?

I think we need to show that the other rule lists exists, and how to use them. And perhaps especially how to use them in combination, which is what I'm struggling with right now. (Such as: "Allow IPv6 from address X::1 and IPv4 from interface Y, but drop everything else.")

@jukkar
Copy link
Member Author

jukkar commented Dec 9, 2025

Does it? It only calls npf_append_recv_rule(), which adds a rule to the npf_recv_rules L2 rule list doesn't it?

I think we need to show that the other rule lists exists, and how to use them. And perhaps especially how to use them in combination, which is what I'm struggling with right now. (Such as: "Allow IPv6 from address X::1 and IPv4 from interface Y, but drop everything else.")

I will check and add something related to this then. But as a general note, would you as a end user be ok with this (pointing to the sample) or would you prefer to see examples in inline documentation?

@zagor
Copy link
Contributor

zagor commented Dec 9, 2025

Samples are generally good enough for me as end-user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kartben kartben kartben approved these changes

@rlubos rlubos rlubos approved these changes

@pdgendt pdgendt Awaiting requested review from pdgendt

@ssharks ssharks Awaiting requested review from ssharks

Assignees

@jukkar jukkar

@rlubos rlubos

Labels

area: Networking

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

npf_ip_src_addr_match() is using packet address family before it is set

4 participants

@jukkar @zagor @kartben @rlubos