bpfilter: add in "Quick Start" guide within the "Usage" page

[ryanbsull]

No description provided.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 26.93%. Comparing base (dfeea3d) to head (b55f4b3).
Report is 93 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #177      +/-   ##
==========================================
- Coverage   28.54%   26.93%   -1.61%     
==========================================
  Files          54       57       +3     
  Lines        4618     4900     +282     
==========================================
+ Hits         1318     1320       +2     
- Misses       3300     3580     +280     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[qdeslandes]

Use long options here, it's easier to understand for people learning about bpfilter.

[qdeslandes]

path/to/bpfilter/ -> path/to/bpfilter/repo

[qdeslandes]

DENY -> DROP

[qdeslandes]

"DEVELOPERS link`" -> "DEVELOPERS section"

[qdeslandes]

"behavior of ping" -> "behavior of ping."

[qdeslandes]

Detail what the command is doing: "The above command will...", also for a quick example, I would avoid using a set ({...}) and use a single address instead (ip4.saddr eq 192.168.1.1).

[ryanbsull]

@qdeslandes let me know if the additions are acceptable or if more detail is needed

[qdeslandes]

"throughout the docs" -> "throughout the documentation"

[qdeslandes]

This path should be the same for all the examples. It might be simpler to remove the cd command from the code blocks and mention something along the lines of "we assume the following commands are run from the bpfilter source directory".

[qdeslandes]

This part is confusing and inaccurate:

• "bpfilter to check incoming traffic": it sends a request to bpfilter to create a new filter. bpfilter itself doesn't process the traffic
• "accept those connections": "connections" when it comes to packet filtering have a very specific meaning (e.g. TCP connection), bpfilter's programs works at the packet level
• "asks bpfilter to check": bpfilter won't check anything but generate a program that does
• "192.168.1.1 (yourself)": that is very specific to one's network.

I would prefer something simpler and more straightforward such as:

The command above will send a request to the bpfilter daemon to create a chain and attach it to the BF_HOOK_NF_LOCAL_IN hook, located after the packet has been routed in the kernel network stack. A single rule is defined, which will accept the packet if its source IPv4 address is 192.168.1.1. If the rule doesn't match the packet, the chain's policy is applied and the packet is accepted. In its current shape, the chain will always accept incoming packets.

[qdeslandes]

We define a rule to block a specific IP and the ping fails, but does this do what you expect it to do? The command above creates a filter for BF_HOOK_LOCAL_IN, i.e. an input hook, meaning packets coming to the local host with the source IP 192.168.1.1 are accepted. It won't block packets going out of the local host, but the answer coming back from 192.168.1.1.

[qdeslandes]

systematically filter out your own packets

We only filter packets coming from 192.168.1.1.

[qdeslandes]

Almost there, one last nit. Also, please fix the command regarding the usage of the long options in the examples.

[qdeslandes]

Use double backticks around BF_HOOK_NF_LOCAL_IN and the IP address.

[ryanbsull]

Hey, @qdeslandes just wanted to ping regarding this

[qdeslandes]

Hi @ryanbsull ,

Non-code changes are usually not the most straightforward for some reason, thanks for pushing through, I appreciate your contribution. This change is now merged!

[ryanbsull]

Thanks!