• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Match using Linux Socket Filter. Expects a BPF program in decimal format. This
2is the format generated by the \fBnfbpf_compile\fP utility.
3.TP
4\fB\-\-bytecode\fP \fIcode\fP
5Pass the BPF byte code format (described in the example below).
6.PP
7The code format is similar to the output of the tcpdump -ddd command: one line
8that stores the number of instructions, followed by one line for each
9instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
10notation. Fields encode the operation, jump offset if true, jump offset if
11false and generic multiuse field 'K'. Comments are not supported.
12.PP
13For example, to read only packets matching 'ip proto 6', insert the following,
14without the comments or trailing whitespace:
15.IP
164               # number of instructions
17.br
1848 0 0 9        # load byte  ip->proto
19.br
2021 0 1 6        # jump equal IPPROTO_TCP
21.br
226 0 0 1         # return     pass (non-zero)
23.br
246 0 0 0         # return     fail (zero)
25.PP
26You can pass this filter to the bpf match with the following command:
27.IP
28iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT
29.PP
30Or instead, you can invoke the nfbpf_compile utility.
31.IP
32iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
33.PP
34You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
35