|
Packit Service |
d1fe03 |
Match using Linux Socket Filter. Expects a path to an eBPF object or a cBPF
|
|
Packit Service |
d1fe03 |
program in decimal format.
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-object\-pinned\fP \fIpath\fP
|
|
Packit Service |
d1fe03 |
Pass a path to a pinned eBPF object.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Applications load eBPF programs into the kernel with the bpf() system call and
|
|
Packit Service |
d1fe03 |
BPF_PROG_LOAD command and can pin them in a virtual filesystem with BPF_OBJ_PIN.
|
|
Packit Service |
d1fe03 |
To use a pinned object in iptables, mount the bpf filesystem using
|
|
Packit Service |
d1fe03 |
.IP
|
|
Packit Service |
d1fe03 |
mount \-t bpf bpf ${BPF_MOUNT}
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
then insert the filter in iptables by path:
|
|
Packit Service |
d1fe03 |
.IP
|
|
Packit Service |
d1fe03 |
iptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j ACCEPT
|
|
Packit Service |
d1fe03 |
.TP
|
|
Packit Service |
d1fe03 |
\fB\-\-bytecode\fP \fIcode\fP
|
|
Packit Service |
d1fe03 |
Pass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
The code format is similar to the output of the tcpdump -ddd command: one line
|
|
Packit Service |
d1fe03 |
that stores the number of instructions, followed by one line for each
|
|
Packit Service |
d1fe03 |
instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal
|
|
Packit Service |
d1fe03 |
notation. Fields encode the operation, jump offset if true, jump offset if
|
|
Packit Service |
d1fe03 |
false and generic multiuse field 'K'. Comments are not supported.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
For example, to read only packets matching 'ip proto 6', insert the following,
|
|
Packit Service |
d1fe03 |
without the comments or trailing whitespace:
|
|
Packit Service |
d1fe03 |
.IP
|
|
Packit Service |
d1fe03 |
4 # number of instructions
|
|
Packit Service |
d1fe03 |
.br
|
|
Packit Service |
d1fe03 |
48 0 0 9 # load byte ip->proto
|
|
Packit Service |
d1fe03 |
.br
|
|
Packit Service |
d1fe03 |
21 0 1 6 # jump equal IPPROTO_TCP
|
|
Packit Service |
d1fe03 |
.br
|
|
Packit Service |
d1fe03 |
6 0 0 1 # return pass (non-zero)
|
|
Packit Service |
d1fe03 |
.br
|
|
Packit Service |
d1fe03 |
6 0 0 0 # return fail (zero)
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
You can pass this filter to the bpf match with the following command:
|
|
Packit Service |
d1fe03 |
.IP
|
|
Packit Service |
d1fe03 |
iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Or instead, you can invoke the nfbpf_compile utility.
|
|
Packit Service |
d1fe03 |
.IP
|
|
Packit Service |
d1fe03 |
iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
Or use tcpdump -ddd. In that case, generate BPF targeting a device with the
|
|
Packit Service |
d1fe03 |
same data link type as the xtables match. Iptables passes packets from the
|
|
Packit Service |
d1fe03 |
network layer up, without mac layer. Select a device with data link type RAW,
|
|
Packit Service |
d1fe03 |
such as a tun device:
|
|
Packit Service |
d1fe03 |
.IP
|
|
Packit Service |
d1fe03 |
ip tuntap add tun0 mode tun
|
|
Packit Service |
d1fe03 |
.br
|
|
Packit Service |
d1fe03 |
ip link set tun0 up
|
|
Packit Service |
d1fe03 |
.br
|
|
Packit Service |
d1fe03 |
tcpdump -ddd -i tun0 ip proto 6
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
See tcpdump -L -i $dev for a list of known data link types for a given device.
|
|
Packit Service |
d1fe03 |
.PP
|
|
Packit Service |
d1fe03 |
You may want to learn more about BPF from FreeBSD's bpf(4) manpage.
|