• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1Match using Linux Socket Filter. Expects a path to an eBPF object or a cBPF
2program in decimal format.
3.TP
4\fB\-\-object\-pinned\fP \fIpath\fP
5Pass a path to a pinned eBPF object.
6.PP
7Applications load eBPF programs into the kernel with the bpf() system call and
8BPF_PROG_LOAD command and can pin them in a virtual filesystem with BPF_OBJ_PIN.
9To use a pinned object in iptables, mount the bpf filesystem using
10.IP
11mount \-t bpf bpf ${BPF_MOUNT}
12.PP
13then insert the filter in iptables by path:
14.IP
15iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j ACCEPT
16.TP
17\fB\-\-bytecode\fP \fIcode\fP
18Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility.
19.PP
20The code format is similar to the output of the tcpdump -ddd command: one line
21that stores the number of instructions, followed by one line for each
22instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
23notation. Fields encode the operation, jump offset if true, jump offset if
24false and generic multiuse field 'K'. Comments are not supported.
25.PP
26For example, to read only packets matching 'ip proto 6', insert the following,
27without the comments or trailing whitespace:
28.IP
294               # number of instructions
30.br
3148 0 0 9        # load byte  ip->proto
32.br
3321 0 1 6        # jump equal IPPROTO_TCP
34.br
356 0 0 1         # return     pass (non-zero)
36.br
376 0 0 0         # return     fail (zero)
38.PP
39You can pass this filter to the bpf match with the following command:
40.IP
41iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT
42.PP
43Or instead, you can invoke the nfbpf_compile utility.
44.IP
45iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
46.PP
47Or use tcpdump -ddd. In that case, generate BPF targeting a device with the
48same data link type as the xtables match. Iptables passes packets from the
49network layer up, without mac layer. Select a device with data link type RAW,
50such as a tun device:
51.IP
52ip tuntap add tun0 mode tun
53.br
54ip link set tun0 up
55.br
56tcpdump -ddd -i tun0 ip proto 6
57.PP
58See tcpdump -L -i $dev for a list of known data link types for a given device.
59.PP
60You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
61