libbpfilter¶

Functions

int bf_ruleset_get(bf_list *chains, bf_list *hookopts, bf_list *counters)¶

Get the ruleset from the daemon.

Request payload format The request doesn’t contain data.

Response payload format

{
  "ruleset": {
    "chains": [
      {  }, // bf_chain object
      // ...
    ],
    "hookopts": [
      {  }, // bf_hookopts object or nil
      // ...
    ],
    "counters": [
      [
        { }, // bf_counter object
        // ...
      ],
      // ...
    ],
  },
}

In the response, “hookopts” and “counters” contains as many entries as “chains”. If a chain is not attached, the corresponding “hookopts” entry is nil. “counters” contains arrays of bf_counter object, is nested array contains as many entries as rules defined in the corresponding chain. Use the chain’s rule .counters field to check is the corresponding bf_counter object contains valid data.

Parameters:

chains – List of bf_chain to be filled.
hookopts – List of hook options objects.
counters – List of bf_counter to be filled.

Returns:

0 on success, or a negative error value on failure.

int bf_ruleset_set(bf_list *chains, bf_list *hookopts)¶

Load a ruleset.

The daemon will flush the whole ruleset for BF_FRONT_CLI and install the chains defined in the provided lists instead.

hookopts should contain as many elements as chains, so they can be mapped 1 to 1. If a chain shouldn’t be attached, they the corresponding entry in hookopts should be NULL.

Request payload format

{
  "ruleset": [
    {
      "chain": { }, // bf_chain object
      "hookopts": { }, // bf_hookopts object, or nil
    },
    // ...
  ],
}

Response payload format The response doesn’t contain data.

Parameters:

chains – List of chains to define. Can’t be NULL.
hookopts – List of hook options to attach the chains in chain. Can’t be NULL.

Returns:

0 on success, or a negative error value on failure.

int bf_ruleset_flush(void)¶

Remove the current ruleset.

Request payload format The request doesn’t contain data.

Response payload format The response doesn’t contain data.

Returns:: 0 on success, or a negative error value on failure.

int bf_chain_set(struct bf_chain *chain, struct bf_hookopts *hookopts)¶

Set a chain.

If a chain with the same name already exist, it is detached and unloaded. The new chain is loaded, and attached if hook options are defined.

Request payload format

{
  "chain": { }, // bf_chain object
  "hookopts": { } // bf_hookopts object or nil
}

Response payload format The response doesn’t contain data.

Parameters:

chain – Chain to set. Can’t be NULL.
hookopts – Hook options to attach the chain. If NULL, the chain is not attached.

Returns:

0 on success, or a negative errno value on failure.

int bf_chain_get(const char *name, struct bf_chain **chain, struct bf_hookopts **hookopts, bf_list *counters)¶

Get a chain.

Request payload format

{
  "name": "",
}

Response payload format

{
  "chain": { }, // bf_chain object
  "hookopts": { }, // bf_hookopts object or nil
  "counters": [
    { }, // bf_counter object
    // ...
  ],
}

“counters” is an array of bf_counter objects, it contains as many entries as rules defined in the chain. Use the chain’s rule .counters field to check is the corresponding bf_counter object contains valid data.

Parameters:

name – Name of the chain to look for. Can’t be NULL.
chain – On success, contains a pointer to the chain. The caller is responsible for freeing it. Can’t be NULL.
hookopts – On success, contains a pointer to the chain’s hook options if the chain is attached, NULL otherwise. The caller is responsible for freeing it. Can’t be NULL.
counters – On success, the list contain the counters for every rule of the chain, and the policy and error counters. The caller is responsible for freeing it. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure, including:

-ENOENT: no chain found for this name.

int bf_chain_prog_fd(const char *name)¶

Get the file descriptor of a chain’s program.

Request payload format

{
  "name": "",
}

Response payload format The response doesn’t contain data.

Warning

Do not use this function. bf_chain_prog_fd is designed to simplify end-to-end tests of the generated programs, to validate bytecode generation. It should be considered unstable, and manipulating the BPF program directly could cause issues with bpfilter itself. Eventually, this API will be disabled for non-tests use cases.

Parameters:

name – Name of the chain to get the program from.

Pre:

name is a non-NULL pointer to a C-string.

Returns:

File descriptor of the chain’s program, or a negative error value on failure. The caller owns the file descriptor.

int bf_chain_logs_fd(const char *name)¶

Get the file descriptor of a chain’s logs buffer.

Request payload format

{
  "name": "",
}

Response payload format The response doesn’t contain data.

Parameters:

name – Name of the chain to get the log buffer from.

Pre:

name is a non-NULL pointer to a C-string.

Returns:

File descriptor of the chain’s logs buffer, or a negative error value on failure. The caller owns the file descriptor.

int bf_chain_load(struct bf_chain *chain)¶

Load a chain.

If a chain with the same name already exist, -EEXIST is returned.

Request payload format

{
  "chain": { }, // bf_chain object
}

Response payload format The response doesn’t contain data.

Parameters:

chain – Chain to load. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure.

int bf_chain_attach(const char *name, const struct bf_hookopts *hookopts)¶

Attach a chain.

If the chain doesn’t exist, -ENOENT is returned.

Request payload format

{
  "name": "",
  "hookopts": { }, // bf_hookopts object
}

Response payload format The response doesn’t contain data.

Parameters:

name – Name of the chain to attach. Can’t be NULL.
hookopts – Hook options to attach the chain. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure, including:

-ENOENT: no chain found for this name.
-EBUSY: chain is already attached.

int bf_chain_update(const struct bf_chain *chain)¶

Update an attached chain.

The chain to update must exist and be attached to a hook.

Request payload format

{
  "chain": { }, // bf_chain object
}

Response payload format The response doesn’t contain data.

Parameters:

chain – Chain to update. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure, including:

-ENOENT: no chain found for this name.
-ENOLINK: the chain to update is not attached.

int bf_chain_flush(const char *name)¶

Remove a chain.

Request payload format

{
  "name": "",
}

Response payload format The response doesn’t contain data.

Parameters:

name – Name of the chain to flush. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure, including:

-ENOENT: no chain found for this name.

int bf_ipt_replace(struct ipt_replace *ipt_replace)¶

Send iptable’s ipt_replace data to bpfilter daemon.

Parameters:

ipt_replace – ipt_replace data to send to the daemon. Can’t be NULL. Data returned by the daemon will be stored in the same structure.

Returns:

0 on success, negative errno value on error.

int bf_ipt_add_counters(struct xt_counters_info *counters)¶

Send iptable’s xt_counters_info data to bpfilter daemon.

Parameters:

counters – xt_counters_info data to send to the daemon. Can’t be NULL. Data returned by the daemon will be stored in the same structure.

Returns:

0 on success, negative errno value on error.

int bf_ipt_get_info(struct ipt_getinfo *info)¶

Send iptable’s ipt_getinfo data to bpfilter daemon.

Parameters:

info – ipt_getinfo data to send to the daemon. Can’t be NULL. Data returned by the daemon will be stored in the same structure.

Returns:

0 on success, negative errno value on error.

int bf_ipt_get_entries(struct ipt_get_entries *entries)¶

Send iptable’s ipt_get_entries data to bpfilter daemon.

Parameters:

entries – ipt_get_entries data to send to the daemon. Can’t be NULL. Data returned by the daemon will be stored in the same structure.

Returns:

0 on success, negative errno value on error.

int bf_nft_send(const void *data, size_t len)¶

Send nftable’s Netlink request to the bpfilter daemon but do not expect a response.

Parameters:

data – Netlink data to send to the daemon. Can’t be NULL.
len – Length of the request. Can’t be 0.

Returns:

0 on success, or negative errno value on error. Returns an error if data is NULL or len is 0.

int bf_nft_sendrecv(const struct nlmsghdr *req, size_t req_len, struct nlmsghdr *res, size_t *res_len)¶

Send nftable’s Netlink request to the bpfilter daemon and write the response back.

res and res_len won’t be modified unless the call is successful.

Parameters:

req – Netlink request to send to the daemon. The caller retain ownership of the request. Can’t be NULL.
req_len – Length of the request. Can’t be 0.
res – Buffer to store the response. Can’t be NULL. Must be allocated by the caller.
res_len – Size of the response buffer. If the call is successful, res_len will be updated to the length of the response. If the data received from the daemon is larger than the buffer, the function will return -EMSGSIZE and res_len will be updated to the size of the response.

Returns:

0 on success, or negative errno value on error.

Namespaces¶

bpfilter supports the following namespaces:

Network: for interfaces index to attach XDP and TC programs to, and interface indexes to filter on.
Mount: for CGroup path to attach cgroup_skb programs to.

For each supported namespace, the bf_ns structure stores the namespace’s ID (the namespace file inode number), and a file descriptor to the namespace.

When a request is received, bpfilter will create a new bf_ns object to refer to the client’s namespaces. Before calling bf_flavor_ops.attach_prog, bpfilter will jump to the request’s namespace, attach the program, then jump back to the original namespace.

struct bf_ns_info¶: #include <libbpfilter/include/bpfilter/ns.h>

struct bf_ns¶: #include <libbpfilter/include/bpfilter/ns.h>

Contains information about namespaces relevant to bpfilter.

Defines

_clean_bf_ns_¶: Call bf_ns_clean on an auto stored bf_ns when it goes out of scope to avoid resources leakage.

bf_ns_default()¶

Initialize a new bf_ns to default values.

Ensure an auto stored bf_ns are initialized to sane defaults, so bf_ns_clean() can be called safely.

Returns:: An initialized bf_ns object.

bf_ns_move(ns)¶

Move a bf_ns object.

Move the bf_ns object from ns and return it. Once moved, ns will be reset to default values (see bf_ns_default()) on which bf_ns_clean() can safely be called. The caller is responsible for cleaning up the bf_ns object returned.

Parameters:

ns – Variable to move the bf_ns object out of.

Returns:

A bf_ns object.

Functions

int bf_ns_init(struct bf_ns *ns, pid_t pid)¶

Initialize an allocated bf_ns object.

The procfs entry of pid will be used to open a reference to its network and mount namespaces and store it in ns.

Parameters:

ns – Object to initialize. On failure, this parameter is unchanged. Can’t be NULL.
pid – PID of the process to open the namespaces of.

Returns:

0 on success, or a negative errno value on failure.

void bf_ns_clean(struct bf_ns *ns)¶

Clean a bf_ns object.

Parameters:

ns – Object to clean. Can’t be NULL.

int bf_ns_set(const struct bf_ns *ns, const struct bf_ns *oldns)¶

Move the current process to different namespaces.

This function will change the current namespace to the one defined in ns. It is critical for this function to succeed; otherwise the process will be in an unstable state: partially in a new namespace, partially in its original namespace.

Parameters:

ns – Namespaces to move to. Can’t be NULL.
oldns – Namespaces to move out of. This information is needed as setns() will fail if we try to move to a namespace we are already in. It is not possible for setns() to look up the current namespace itself, as we must assume a new /proc has been mounted too, hiding the information about the current process. Hence, the only reliable solution is to collect this information before calling setns().

Returns:

0 on success, or a negative errno value on failure.

Pack¶

Serialization is used to send/receive bpfilter objects to and from the daemon. While bpfilter originally used a custom logic to convert its objects into binary data, it was inefficient and didn’t support different versions of the same object (when fields are added or removed). Instead, the new packing logic provides an API to (de)serialize bpfilter objects using MessagePack.

The packing mechanism doesn’t implement the MessagePack protocol directly, but relies on the MPack implementation instead. MPack provides the following advantages:

Fast (de)serialization: 4x faster than the previous custom serialization logic, and 10x faster than Jansson.
Named fields: each serialized field of an object is named, allowing the objects to evolve and introduce or remove new fields while maintaining backward compatibility.
Can be used in place: existing objects format can be used as-is, without extra field dedicated to the serializer or schema file (hello Protobuf and Thrift).

Two different packing objects are provided:

bf_wpack_t: the writer object, to serialize data. To keep the the serialization as simple as possible, no error will be returned when a field is serialized. Instead, users must use bf_wpack_is_valid to validate the serialized data before it is exported. This behaviour is different for the rest of the core module, but is justified for usability reasons.
bf_rpack_t: node-based API to read serialized data. Each serialized field can be represented as a node. The object deserialization functions should expect to receive a node which represents them.

¶

Serializing¶

bf_wpack_t always have a root node containing key-value pairs. Keys should be strings, and values can be any primal type, array, or another object. bf_wpack_kv_TYPE functions should be used to write both the key and the value in an object, bf_wpack_TYPE functions should be used to write single objects (without a key) into arrays. To nest objects and arrays, use bf_wpack_open_object and bf_wpack_open_array, they both allow the caller to provide a key: if the object (or array) is inserted into an object you should provide a key, if the object (or array) is inserted into an array you should not provide a key. In any case, call bf_wpack_close_object or bf_wpack_close_array to complete the nested object/array. Before using the serialized data, ensure it is valid with bf_wpack_is_valid, as not error will be returned during the pack creation.

¶

Deserializing¶

bf_rpack_t is the deserialization object, although we do not read directly from it. Instead, one should get the root object with bf_rpack_root, then query keys from it. All the functions used to deserialize data from the pack are available in two formats:

bf_rpack_TYPE: read a typed value from a node.
bf_rpack_kv_TYPE: read the value identified by a key in an object node. To prevent any tempering or corruption, every function able to read data from a node will return a value: 0 on success, or a negative integer on failure.

Todo:

bf_wpack_kv_TYPE functions should only write into objects.

bf_wpack_TYPE functions should only write into arrays.

Note

To ensure compatibility of the binary data over time, the following constraints must be followed:

Every enumeration value is serialized as integer: it should support every possible enumeration value used by bpfilter, including negative values.
size_t values are serialied as uint64_t: for similar reasons to he enumerations.

Defines

_free_bf_wpack_¶: Cleanup attribute for dynamically allocated bf_wpack_t objects.

bf_wpack_enum(pack, value)¶

_free_bf_rpack_¶: Cleanup attribute for dynamically allocated bf_rpack_t objects.

bf_rpack_array_foreach(node, value_node)¶

Loop over all the nodes in an array node.

The counter i is accessible within the scope.

Warning

This loop must ensure we don’t query the node for invalid data: we should not request a node from the array if it’s empty, of if the index is out of the array. Otherwise, it would put the bf_rpack_t object in failure mode.

Parameters:

node – Array node. If the node is not an array, the loop will be ignored.
value_node – A node in the array, updated on each iteration.

bf_rpack_kv_enum(node, key, value)¶

Read an named enumerator value from a node.

This macro will ensure the enumerator value is properly casted from the corresponding integer stored in the pack.

Parameters:

node – Node to read from.
key – Key of the node to read. Can’t be NULL.
value – Pointer to the enumerator value to read into.

Returns:

0 on success, or a negative error value on failure.

bf_rpack_enum(node, value)¶

Read an enumerator value from a node.

Similar to bf_rpack_kv_enum but reads a node directly.

Parameters:

node – Node to read from.
value – Pointer to the enumerator value to read into.

Returns:

0 on success, or a negative error value on failure.

bf_rpack_key_err(v, key)¶

Log a missing key error and return a negative error value.

Parameters:

v – The error value to return.
key – The missing key, as a string.

Typedefs

typedef struct bf_wpack bf_wpack_t¶

typedef struct bf_rpack bf_rpack_t¶

Functions

int bf_wpack_new(bf_wpack_t **pack)¶

Allocate and initialize a new bf_wpack_t object.

Parameters:

pack – bf_wpack_t object to allocate an initialize. Can’t be NULL.

Returns:

0 on sucess, or a negative error value on failure.

void bf_wpack_free(bf_wpack_t **pack)¶

Deinitialize and deallocate a bf_wpack_t object.

Parameters:

pack – bf_wpack_t object to deallocate and deinitialize. Can’t be NULL. If *pack is NULL, this function has no effect.

bool bf_wpack_is_valid(bf_wpack_t *pack)¶

Check if the serialized data is valid.

Parameters:

pack – bf_wpack_t object to check. Can’t be NULL.

Returns:

True if the serialized data is valid, false otherwise.

int bf_wpack_get_data(bf_wpack_t *pack, const void **data, size_t *data_len)¶

Get the serialized data.

Ensure the buffer is flushed and all the remaining data has been serialized. On success, *data points to a buffer containing data_len bytes. The caller do not own the data.

Returns:: 0 on success, or a negative error value on failure.

void bf_wpack_nil(bf_wpack_t *pack)¶

void bf_wpack_int(bf_wpack_t *pack, int value)¶

void bf_wpack_uint(bf_wpack_t *pack, unsigned int value)¶

void bf_wpack_u8(bf_wpack_t *pack, uint8_t value)¶

void bf_wpack_u16(bf_wpack_t *pack, uint16_t value)¶

void bf_wpack_u32(bf_wpack_t *pack, uint32_t value)¶

void bf_wpack_u64(bf_wpack_t *pack, uint64_t value)¶

void bf_wpack_bool(bf_wpack_t *pack, bool value)¶

void bf_wpack_str(bf_wpack_t *pack, const char *value)¶

void bf_wpack_bin(bf_wpack_t *pack, const void *value, size_t len)¶

void bf_wpack_list(bf_wpack_t *pack, const bf_list *value)¶

static inline void bf_wpack_kv_nil(bf_wpack_t *pack, const char *key)¶

static inline void bf_wpack_kv_int(bf_wpack_t *pack, const char *key, int value)¶

static inline void bf_wpack_kv_uint(bf_wpack_t *pack, const char *key, unsigned int value)¶

static inline void bf_wpack_kv_u8(bf_wpack_t *pack, const char *key, uint8_t value)¶

static inline void bf_wpack_kv_u16(bf_wpack_t *pack, const char *key, uint16_t value)¶

static inline void bf_wpack_kv_u32(bf_wpack_t *pack, const char *key, uint32_t value)¶

static inline void bf_wpack_kv_u64(bf_wpack_t *pack, const char *key, uint64_t value)¶

static inline void bf_wpack_kv_bool(bf_wpack_t *pack, const char *key, bool value)¶

static inline void bf_wpack_kv_str(bf_wpack_t *pack, const char *key, const char *str)¶

static inline void bf_wpack_kv_bin(bf_wpack_t *pack, const char *key, const void *data, size_t data_len)¶

static inline void bf_wpack_kv_enum(bf_wpack_t *pack, const char *key, int value)¶

void bf_wpack_kv_list(bf_wpack_t *pack, const char *key, const bf_list *value)¶

void bf_wpack_open_object(bf_wpack_t *pack, const char *key)¶

Open a new object in the pack.

Once this function returns, any call to bf_wpack_TYPE or bf_wpack_kv_TYPE will insert data into the object.

Parameters:

pack – bf_wpack_t object to open the object in. Can’t be NULL.
key – Key to use for the object. If NULL, no key is inserted.

void bf_wpack_close_object(bf_wpack_t *pack)¶

Close the current object.

Once the object is closed, any call to bf_wpack_TYPE or bf_wpack_kv_TYPE will insert data into the parent object or array.

Parameters:

pack – bf_wpack_t object to close the object in. Can’t be NULL.

void bf_wpack_open_array(bf_wpack_t *pack, const char *key)¶

Open a new array in the pack.

Once this function returns, any call to bf_wpack_TYPE or bf_wpack_kv_TYPE will insert data into the array.

Parameters:

pack – bf_wpack_t object to open the array in. Can’t be NULL.
key – Key to use for the array. If NULL, no key is inserted.

void bf_wpack_close_array(bf_wpack_t *pack)¶

Close the current array.

Once the array is closed, any call to bf_wpack_TYPE or bf_wpack_kv_TYPE will insert data into the parent object or array.

Parameters:

pack – bf_wpack_t object to close the array in. Can’t be NULL.

int bf_rpack_new(bf_rpack_t **pack, const void *data, size_t data_len)¶

Allocate and initialize a new bf_rpack_t object.

Parameters:

pack – bf_rpack_t object to allocate and initialize. Can’t be NULL.
data – Serialized data. To prevent large copies, the deserialization object won’t take ownership of the data. Can’t be NULL.
data_len – Length of data.

Returns:

0 on success, or a negative error value on failure.

void bf_rpack_free(bf_rpack_t **pack)¶

Deinitialize and deallocate a bf_rpack_t object.

Parameters:

pack – bf_rpack_t object to deallocate and deinitialize. Can’t be NULL. If *pack is NULL, this function has no effect.

bf_rpack_node_t bf_rpack_root(const bf_rpack_t *pack)¶

Get the root node of pack.

Parameters:

pack – bf_rpack_t object to get the root node from. Can’t be NULL.

Returns:

Root node for pack.

bool bf_rpack_is_nil(bf_rpack_node_t node)¶

Returns true if the node is nil, false otherwise.

Nil nodes are used to specific an absent value (e.g. optional bf_hookopts).

Parameters:

node – Node to check for nil.

Returns:

True if node is nil, false otherwise.

bool bf_rpack_is_array(bf_rpack_node_t node)¶

Returns true if the node is an array, false otherwise.

Parameters:

node – Node to check for array type.

Returns:

True if node is an array, false otherwise.

size_t bf_rpack_array_count(bf_rpack_node_t node)¶

Returns the number of elements in an array node.

To ensure the returned value is relevant, the caller should ensure node is an array.

Parameters:

node – Array node to get the number of elements of.

Returns:

The number of elements in node, or 0 if node is not an array.

bf_rpack_node_t bf_rpack_array_value_at(bf_rpack_node_t node, size_t index)¶

Get an array element by index.

The caller is responsible for ensuring node is an array and index is a valid index in node, otherwise the returned node will be invalid.

Parameters:

node – Array node to get elements from.
index – Index of the node to get.

Returns:

The node of the element as index in node.

bool bf_rpack_kv_contains(bf_rpack_node_t node, const char *key)¶

Check if an object node contains a given key.

The caller is responsible for ensuring node is a valid object node. If node is invalid or the wrong type, false is returned.

Parameters:

node – Object node to check.
key – Key to check in node. Can’t be NULL.

Returns:

True if key is a valid key in node, false otherwise. On error, false is returned.

int bf_rpack_int(bf_rpack_node_t node, int *value)¶

int bf_rpack_uint(bf_rpack_node_t node, unsigned int *value)¶

int bf_rpack_u8(bf_rpack_node_t node, uint8_t *value)¶

int bf_rpack_u16(bf_rpack_node_t node, uint16_t *value)¶

int bf_rpack_u32(bf_rpack_node_t node, uint32_t *value)¶

int bf_rpack_u64(bf_rpack_node_t node, uint64_t *value)¶

int bf_rpack_str(bf_rpack_node_t node, char **value)¶

int bf_rpack_bool(bf_rpack_node_t node, bool *value)¶

int bf_rpack_bin(bf_rpack_node_t node, const void **data, size_t *data_len)¶

int bf_rpack_kv_node(bf_rpack_node_t node, const char *key, bf_rpack_node_t *child)¶

int bf_rpack_kv_int(bf_rpack_node_t node, const char *key, int *value)¶

int bf_rpack_kv_uint(bf_rpack_node_t node, const char *key, unsigned int *value)¶

int bf_rpack_kv_u8(bf_rpack_node_t node, const char *key, uint8_t *value)¶

int bf_rpack_kv_u16(bf_rpack_node_t node, const char *key, uint16_t *value)¶

int bf_rpack_kv_u32(bf_rpack_node_t node, const char *key, uint32_t *value)¶

int bf_rpack_kv_u64(bf_rpack_node_t node, const char *key, uint64_t *value)¶

int bf_rpack_kv_str(bf_rpack_node_t node, const char *key, char **value)¶

int bf_rpack_kv_bool(bf_rpack_node_t node, const char *key, bool *value)¶

int bf_rpack_kv_bin(bf_rpack_node_t node, const char *key, const void **data, size_t *data_len)¶

int bf_rpack_kv_obj(bf_rpack_node_t node, const char *key, bf_rpack_node_t *child)¶

int bf_rpack_kv_array(bf_rpack_node_t node, const char *key, bf_rpack_node_t *child)¶

union bf_rpack_node_t¶

#include <libbpfilter/include/bpfilter/pack.h>

Opaque structure to pass nodes by value.

Public Members

char _opaque[16]¶

void *_align¶

Rule¶

Defines

_free_bf_rule_¶

Functions

const char *bf_pkthdr_to_str(enum bf_pkthdr hdr)¶

Return the string representation of a bf_pkthdr enumeration value.

Parameters:

hdr – bf_pkthdr enumeration value.

Returns:

A pointer to the C-string representation of hdr.

int bf_pkthdr_from_str(const char *str, enum bf_pkthdr *hdr)¶

Return the bf_pkthdr enumeration value corresponding to a string.

Parameters:

str – String to get the corresponding bf_pkthdr enumeration value for.
hdr – On success, contains the bf_pkthdr enumeration value corresponding to str.

Pre:

str is a non-NULL pointer to a C-string.
hdr != NULL

Post:

On failure, hdr is unchanged.

Returns:

0 on success, or a negative error value on failure.

int bf_rule_new(struct bf_rule **rule)¶

Allocated and initialise a new rule.

On failure, rule is left unchanged.

Parameters:

rule – On success, points to the allocated rule. Must be non NULL.

Returns:

0 on success, or negative errno value on error.

int bf_rule_new_from_pack(struct bf_rule **rule, bf_rpack_node_t node)¶

Allocate and initialize a new rule from serialized data.

Parameters:

rule – Rule object to allocate and initialize from the serialized data. The caller will own the object. On failure, *rule is unchanged. Can’t be NULL.
node – Node containing the serialized rule. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure.

void bf_rule_free(struct bf_rule **rule)¶

Free a rule.

Free rule and set it to NULL. If rule is NULL, nothing is done.

Parameters:

rule – Rule to free. Must be non-NULL.

int bf_rule_pack(const struct bf_rule *rule, bf_wpack_t *pack)¶

Serialize a rule.

Parameters:

rule – Rule to serialize. Can’t be NULL.
pack – bf_wpack_t object to serialize the matcher rule. Can’t be NULL.

Returns:

0 on success, or a negative error value on failure.

void bf_rule_dump(const struct bf_rule *rule, prefix_t *prefix)¶

Dump a rule.

Parameters:

rule – Rule to dump. Must not be NULL.
prefix – Prefix for each printed line.

int bf_rule_add_matcher(struct bf_rule *rule, enum bf_matcher_type type, enum bf_matcher_op op, const void *payload, size_t payload_len)¶

Create a new matcher and add it to the rule.

Parameters:

rule – Rule to add the matcher to. Can’t be NULL.
type – Matcher type.
op – Comparison operator.
payload – Payload of the matcher, its content and size depends on type . Can be NULL but only if payload_len is 0, in which case there is no payload.
payload_len – Length of the payload.

Returns:

0 on success, or negative errno value on failure.

struct bf_rule¶

#include <libbpfilter/include/bpfilter/rule.h>

Represents a rule to match against packets.

Public Members

uint32_t index¶: Rule’s index. Identifies the rule’s within other rules from the same front.

bf_list matchers¶

uint8_t log¶

bool counters¶

enum bf_verdict verdict¶