|
 |
1dc35b |
From b3d9e7d73221e1f7efe9bd7052e85163e5de65aa Mon Sep 17 00:00:00 2001
|
|
|
1dc35b |
From: Phil Sutter <phil@nwl.cc>
|
|
|
1dc35b |
Date: Wed, 16 Jan 2019 22:47:59 +0100
|
|
|
1dc35b |
Subject: [PATCH] utils: Add a manpage for nfbpf_compile
|
|
|
1dc35b |
|
|
|
1dc35b |
Content is rather sparse, but still better than no manpage at all.
|
|
|
1dc35b |
|
|
|
1dc35b |
Cc: Willem de Bruijn <willemb@google.com>
|
|
|
1dc35b |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
1dc35b |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
1dc35b |
(cherry picked from commit 032dc4a18ab86173847b6016baf0819ccd7641c5)
|
|
|
1dc35b |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
1dc35b |
---
|
|
|
1dc35b |
configure.ac | 3 +-
|
|
|
1dc35b |
utils/.gitignore | 1 +
|
|
|
1dc35b |
utils/Makefile.am | 3 +-
|
|
|
1dc35b |
utils/nfbpf_compile.8.in | 70 ++++++++++++++++++++++++++++++++++++++++
|
|
|
1dc35b |
4 files changed, 75 insertions(+), 2 deletions(-)
|
|
|
1dc35b |
create mode 100644 utils/nfbpf_compile.8.in
|
|
|
1dc35b |
|
|
|
1dc35b |
diff --git a/configure.ac b/configure.ac
|
|
|
1dc35b |
index 448ec918fd89b..e6c9832fa43ba 100644
|
|
|
1dc35b |
--- a/configure.ac
|
|
|
1dc35b |
+++ b/configure.ac
|
|
|
1dc35b |
@@ -252,7 +252,8 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile
|
|
|
1dc35b |
libxtables/Makefile utils/Makefile
|
|
|
1dc35b |
include/xtables-version.h include/iptables/internal.h
|
|
|
1dc35b |
iptables/xtables-monitor.8
|
|
|
1dc35b |
- utils/nfnl_osf.8])
|
|
|
1dc35b |
+ utils/nfnl_osf.8
|
|
|
1dc35b |
+ utils/nfbpf_compile.8])
|
|
|
1dc35b |
AC_OUTPUT
|
|
|
1dc35b |
|
|
|
1dc35b |
|
|
|
1dc35b |
diff --git a/utils/.gitignore b/utils/.gitignore
|
|
|
1dc35b |
index 7c6afbf4e6a52..6300812b1701b 100644
|
|
|
1dc35b |
--- a/utils/.gitignore
|
|
|
1dc35b |
+++ b/utils/.gitignore
|
|
|
1dc35b |
@@ -1,3 +1,4 @@
|
|
|
1dc35b |
/nfnl_osf
|
|
|
1dc35b |
/nfnl_osf.8
|
|
|
1dc35b |
/nfbpf_compile
|
|
|
1dc35b |
+/nfbpf_compile.8
|
|
|
1dc35b |
diff --git a/utils/Makefile.am b/utils/Makefile.am
|
|
|
1dc35b |
index 80029e303ff3b..d09a69749b85f 100644
|
|
|
1dc35b |
--- a/utils/Makefile.am
|
|
|
1dc35b |
+++ b/utils/Makefile.am
|
|
|
1dc35b |
@@ -17,6 +17,7 @@ nfnl_osf_LDADD = ${libnfnetlink_LIBS}
|
|
|
1dc35b |
endif
|
|
|
1dc35b |
|
|
|
1dc35b |
if ENABLE_BPFC
|
|
|
1dc35b |
+man_MANS += nfbpf_compile.8
|
|
|
1dc35b |
sbin_PROGRAMS += nfbpf_compile
|
|
|
1dc35b |
nfbpf_compile_LDADD = -lpcap
|
|
|
1dc35b |
endif
|
|
|
1dc35b |
@@ -26,4 +27,4 @@ sbin_PROGRAMS += nfsynproxy
|
|
|
1dc35b |
nfsynproxy_LDADD = -lpcap
|
|
|
1dc35b |
endif
|
|
|
1dc35b |
|
|
|
1dc35b |
-CLEANFILES = nfnl_osf.8
|
|
|
1dc35b |
+CLEANFILES = nfnl_osf.8 nfbpf_compile.8
|
|
|
1dc35b |
diff --git a/utils/nfbpf_compile.8.in b/utils/nfbpf_compile.8.in
|
|
|
1dc35b |
new file mode 100644
|
|
|
1dc35b |
index 0000000000000..d02979a5143ef
|
|
|
1dc35b |
--- /dev/null
|
|
|
1dc35b |
+++ b/utils/nfbpf_compile.8.in
|
|
|
1dc35b |
@@ -0,0 +1,70 @@
|
|
|
1dc35b |
+.TH NFBPF_COMPILE 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.SH NAME
|
|
|
1dc35b |
+nfbpf_compile \- generate bytecode for use with xt_bpf
|
|
|
1dc35b |
+.SH SYNOPSIS
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.ad l
|
|
|
1dc35b |
+.in +8
|
|
|
1dc35b |
+.ti -8
|
|
|
1dc35b |
+.B nfbpf_compile
|
|
|
1dc35b |
+[
|
|
|
1dc35b |
+.I LLTYPE
|
|
|
1dc35b |
+]
|
|
|
1dc35b |
+.I PROGRAM
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.ti -8
|
|
|
1dc35b |
+.I LLTYPE
|
|
|
1dc35b |
+:= {
|
|
|
1dc35b |
+.BR EN10MB " | " RAW " | " SLIP " | "
|
|
|
1dc35b |
+.I ...
|
|
|
1dc35b |
+}
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.SH DESCRIPTION
|
|
|
1dc35b |
+The
|
|
|
1dc35b |
+.B nfbpf_compile
|
|
|
1dc35b |
+utility aids in generating BPF byte code suitable for passing to
|
|
|
1dc35b |
+the iptables
|
|
|
1dc35b |
+.B bpf
|
|
|
1dc35b |
+match.
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.SH OPTIONS
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.TP
|
|
|
1dc35b |
+.I LLTYPE
|
|
|
1dc35b |
+Link-layer header type to operate on. This is a name as defined in
|
|
|
1dc35b |
+.RB < pcap/dlt.h >
|
|
|
1dc35b |
+but with the leading
|
|
|
1dc35b |
+.B DLT_
|
|
|
1dc35b |
+prefix stripped. For use with iptables,
|
|
|
1dc35b |
+.B RAW
|
|
|
1dc35b |
+should be the right choice (it's also the default if not specified).
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.TP
|
|
|
1dc35b |
+.I PROGRAM
|
|
|
1dc35b |
+The BPF expression to compile, see
|
|
|
1dc35b |
+.BR pcap-filter (7)
|
|
|
1dc35b |
+for a description of the language.
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.SH EXIT STATUS
|
|
|
1dc35b |
+The program returns 0 on success, 1 otherwise.
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.SH EXAMPLE
|
|
|
1dc35b |
+Match incoming TCP packets with size bigger than 100 bytes:
|
|
|
1dc35b |
+.P
|
|
|
1dc35b |
+.in +8
|
|
|
1dc35b |
+.EE
|
|
|
1dc35b |
+bpf=$(nfbpf_compile 'tcp and greater 100')
|
|
|
1dc35b |
+.br
|
|
|
1dc35b |
+iptables -A INPUT -m bpf --bytecode "$bpf" -j ACCEPT
|
|
|
1dc35b |
+.RE
|
|
|
1dc35b |
+.P
|
|
|
1dc35b |
+The description of
|
|
|
1dc35b |
+.B bpf
|
|
|
1dc35b |
+match in
|
|
|
1dc35b |
+.BR iptables-extensions (8)
|
|
|
1dc35b |
+lists a few more examples.
|
|
|
1dc35b |
+
|
|
|
1dc35b |
+.SH SEE ALSO
|
|
|
1dc35b |
+.BR iptables-extensions (8),
|
|
|
1dc35b |
+.BR pcap-filter (7)
|
|
|
1dc35b |
--
|
|
|
1dc35b |
2.21.0
|
|
|
1dc35b |
|