netfilter: x_tables: add xt_bpf match
Support arbitrary linux socket filter (BPF) programs as x_tables match rules. This allows for very expressive filters, and on platforms with BPF JIT appears competitive with traditional hardcoded iptables rules using the u32 match. The size of the filter has been artificially limited to 64 instructions maximum to avoid bloating the size of each rule using this new match. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Willem de Bruijn
Pablo Neira Ayuso
parent
5a406b0cdf
commit
e6f30c7317
4 changed files with 100 additions and 0 deletions
17
include/uapi/linux/netfilter/xt_bpf.h
Normal file
17
include/uapi/linux/netfilter/xt_bpf.h
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
#ifndef _XT_BPF_H
|
||||
#define _XT_BPF_H
|
||||
|
||||
#include <linux/filter.h>
|
||||
#include <linux/types.h>
|
||||
|
||||
#define XT_BPF_MAX_NUM_INSTR 64
|
||||
|
||||
struct xt_bpf_info {
|
||||
__u16 bpf_program_num_elem;
|
||||
struct sock_filter bpf_program[XT_BPF_MAX_NUM_INSTR];
|
||||
|
||||
/* only used in the kernel */
|
||||
struct sk_filter *filter __attribute__((aligned(8)));
|
||||
};
|
||||
|
||||
#endif /*_XT_BPF_H */
|
||||
Loading…
Add table
Add a link
Reference in a new issue