1*a71a9546SAutomerger Merge WorkerMatch using Linux Socket Filter. Expects a path to an eBPF object or a cBPF 2*a71a9546SAutomerger Merge Workerprogram in decimal format. 3*a71a9546SAutomerger Merge Worker.TP 4*a71a9546SAutomerger Merge Worker\fB\-\-object\-pinned\fP \fIpath\fP 5*a71a9546SAutomerger Merge WorkerPass a path to a pinned eBPF object. 6*a71a9546SAutomerger Merge Worker.PP 7*a71a9546SAutomerger Merge WorkerApplications load eBPF programs into the kernel with the bpf() system call and 8*a71a9546SAutomerger Merge WorkerBPF_PROG_LOAD command and can pin them in a virtual filesystem with BPF_OBJ_PIN. 9*a71a9546SAutomerger Merge WorkerTo use a pinned object in iptables, mount the bpf filesystem using 10*a71a9546SAutomerger Merge Worker.IP 11*a71a9546SAutomerger Merge Workermount \-t bpf bpf ${BPF_MOUNT} 12*a71a9546SAutomerger Merge Worker.PP 13*a71a9546SAutomerger Merge Workerthen insert the filter in iptables by path: 14*a71a9546SAutomerger Merge Worker.IP 15*a71a9546SAutomerger Merge Workeriptables \-A OUTPUT \-m bpf \-\-object\-pinned ${BPF_MOUNT}/{PINNED_PATH} \-j ACCEPT 16*a71a9546SAutomerger Merge Worker.TP 17*a71a9546SAutomerger Merge Worker\fB\-\-bytecode\fP \fIcode\fP 18*a71a9546SAutomerger Merge WorkerPass the BPF byte code format as generated by the \fBnfbpf_compile\fP utility. 19*a71a9546SAutomerger Merge Worker.PP 20*a71a9546SAutomerger Merge WorkerThe code format is similar to the output of the tcpdump \-ddd command: one line 21*a71a9546SAutomerger Merge Workerthat stores the number of instructions, followed by one line for each 22*a71a9546SAutomerger Merge Workerinstruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal 23*a71a9546SAutomerger Merge Workernotation. Fields encode the operation, jump offset if true, jump offset if 24*a71a9546SAutomerger Merge Workerfalse and generic multiuse field 'K'. Comments are not supported. 25*a71a9546SAutomerger Merge Worker.PP 26*a71a9546SAutomerger Merge WorkerFor example, to read only packets matching 'ip proto 6', insert the following, 27*a71a9546SAutomerger Merge Workerwithout the comments or trailing whitespace: 28*a71a9546SAutomerger Merge Worker.IP 29*a71a9546SAutomerger Merge Worker4 # number of instructions 30*a71a9546SAutomerger Merge Worker.br 31*a71a9546SAutomerger Merge Worker48 0 0 9 # load byte ip->proto 32*a71a9546SAutomerger Merge Worker.br 33*a71a9546SAutomerger Merge Worker21 0 1 6 # jump equal IPPROTO_TCP 34*a71a9546SAutomerger Merge Worker.br 35*a71a9546SAutomerger Merge Worker6 0 0 1 # return pass (non-zero) 36*a71a9546SAutomerger Merge Worker.br 37*a71a9546SAutomerger Merge Worker6 0 0 0 # return fail (zero) 38*a71a9546SAutomerger Merge Worker.PP 39*a71a9546SAutomerger Merge WorkerYou can pass this filter to the bpf match with the following command: 40*a71a9546SAutomerger Merge Worker.IP 41*a71a9546SAutomerger Merge Workeriptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT 42*a71a9546SAutomerger Merge Worker.PP 43*a71a9546SAutomerger Merge WorkerOr instead, you can invoke the nfbpf_compile utility. 44*a71a9546SAutomerger Merge Worker.IP 45*a71a9546SAutomerger Merge Workeriptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT 46*a71a9546SAutomerger Merge Worker.PP 47*a71a9546SAutomerger Merge WorkerOr use tcpdump -ddd. In that case, generate BPF targeting a device with the 48*a71a9546SAutomerger Merge Workersame data link type as the xtables match. Iptables passes packets from the 49*a71a9546SAutomerger Merge Workernetwork layer up, without mac layer. Select a device with data link type RAW, 50*a71a9546SAutomerger Merge Workersuch as a tun device: 51*a71a9546SAutomerger Merge Worker.IP 52*a71a9546SAutomerger Merge Workerip tuntap add tun0 mode tun 53*a71a9546SAutomerger Merge Worker.br 54*a71a9546SAutomerger Merge Workerip link set tun0 up 55*a71a9546SAutomerger Merge Worker.br 56*a71a9546SAutomerger Merge Workertcpdump -ddd -i tun0 ip proto 6 57*a71a9546SAutomerger Merge Worker.PP 58*a71a9546SAutomerger Merge WorkerSee tcpdump -L -i $dev for a list of known data link types for a given device. 59*a71a9546SAutomerger Merge Worker.PP 60*a71a9546SAutomerger Merge WorkerYou may want to learn more about BPF from FreeBSD's bpf(4) manpage. 61