ipt
¶
iptables
front-end for bpfilter
.
This front-end provides support for iptables
command to bpfilter
.
iptables
requires the INPUT
, FORWARD
, and OUTPUT
chains to be defined with the ACCEPT
policy by default, which mean they have no effect except counting the packets. bpfilter
doesn’t define those chains by default, even with this front-end enabled. Instead, it emulates then if they are not defined when iptables
request the ruleset. See _bf_ipt_gen_get_ruleset .
Before running the requests command, iptables
will send two requests to bpfilter
to populate a local cache:
IPT_SO_GET_INFO
: fetch the ruleset size, enabled hooks, number of rules, and offset of the rules.IPT_SO_GET_ENTRIES
: same information asIPT_SO_GET_INFO
plus the ruleset.iptables
always sends the whole ruleset tobpfilter
, even if only a single rule has changed.
bpfilter
will generate the ruleset in iptables
format on demand, as long as the rules have been defined by iptables
previously. iptables
ruleset is defined as an ipt_replace
structure with the following fields:
name
: name of the table, only “filter” is supported.valid_hooks
: flags of the enabled hooks (hooks with a ruleset defined).num_entries
: number ofipt_entry
in the structure (hanging off the end in a flexible array member).size
: total size of theipt_entry
structures.hook_entry
: offset of each chain’s firstipt_entry
starting fromipt_replace.entries
.underflow
: offset of each chain’s policyipt_entry
starting fromipt_replace.entries
.num_counters
: identical toipt_replace.num_entries
.counters
: unused.entries
: flexible array member ofipt_entry
for the chains.
The bf_rule of each chain are translated into ipt_entry
structures. This structure is documented in the Linux kernel sources. All the ipt_entry
structures defined for bf_rule will have the same size because none of them will contain any matcher ( iptables
matchers are not supported by bpfilter
), however after each ipt_entry
is located an ipt_entry_target
to define the rule’s verdict. ipt_entry_target
have different sizes depending on the exact type of target (verdict, jump, …): bpfilter
only supports verdict ( ipt_standard_target
).
Then, a last ipt_entry
is added for the error target, which is expected by iptables
.
Defines
-
bf_ipt_replace_size(ipt_replace_ptr)¶
Get size of an ipt_replace structure.
- Parameters:
ipt_replace_ptr – Pointer to a valid ipt_replace structure.
- Returns:
Size of the structure, including variable length entries field.
Functions
-
static int _bf_ipt_target_to_verdict(struct ipt_entry_target *ipt_tgt, enum bf_verdict *verdict)¶
Convert an iptables target to a bpfilter verdict.
Only the NF_ACCEPT and NF_DROP standard target are supported, other targets and user-defined chains jumps will be rejected.
- Parameters:
ipt_tgt –
iptables
target to convert.verdict –
bpfilter
verdict, corresponding toipt_tgt
.
- Returns:
0 on success, or na egative errno value on error.
-
static int _bf_verdict_to_ipt_target(enum bf_verdict verdict, struct ipt_entry_target *ipt_tgt)¶
-
static int _bf_ipt_entry_to_rule(const struct ipt_entry *entry, struct bf_rule **rule)¶
Translate an
iptables
rule into abpfilter
rule.- Parameters:
entry –
iptables
rule. Can’t be NULL.rule –
bpfilter
rule. Can’t be NULL. On success, points to a valid rule.
- Returns:
0 on success, or a negative errno value on error.
-
static int _bf_rule_to_ipt_entry(const struct bf_rule *rule, struct ipt_entry *entry)¶
Translates a bf_rule object into an
ipt_entry
.- Parameters:
rule – bf_rule to translate. Can’t be NULL.
entry –
ipt_entry
created from the bf_rule . Can’t be NULL.
- Returns:
0 on success, or a negative errno value on error.
-
static int _bf_ipt_entries_to_chain(struct bf_chain **chain, int ipt_hook, struct ipt_entry *first, struct ipt_entry *last)¶
-
static int _bf_ipt_gen_get_ruleset(struct bf_ipt_gen_ruleset_entry *ruleset, size_t *nrules, bf_list *dummy_chains)¶
Get the list of chains and codegens for
BF_FRONT_IPT
.- Parameters:
ruleset – Array of size
NF_INET_NUMHOOKS
to be filled with the codegen and chain for every hook (if defined). Mandatory chains will be allocated and their pointer added to this array if they are not yet defined. Can’t be NULL.nrules – On success, contain the total number of rules associated with the
BF_FRONT_IPT
front-end. This is the number of rules from iptables’ perspective: each chain has an extra rule for the policy. Can’t be NULL.dummy_chains – On success, this list will contain pointers to the mandatory chains created to comply with iptables’ behaviour. The caller will own this list and the pointers contained in it. Can’t be NULL.
- Returns:
0 on success, or a negative errno value on failure.
-
static int _bf_ipt_gen_ipt_replace(struct ipt_replace **replace, bool with_counters)¶
Generate the
ipt_replace
structure for the current ruleset.- Parameters:
replace –
ipt_replace
structure to allocate and fill. Can’t be NULL.with_counters – If true, the rule counters in
replace
will be filled with the correct values. Otherwise, the counters will default to 0.
- Returns:
0 on success, or a negative errno value on failure.
-
static int _bf_ipt_xlate_ruleset_set(struct ipt_replace *ipt, struct bf_chain *(*chains)[NF_INET_NUMHOOKS])¶
Translate iptables rules into bpfilter format.
- Parameters:
ipt – iptables rules.
chains – Array of chains. The array is big enough to fit one chain per hook. Can’t be NULL.
- Returns:
0 on success, negative error code on failure.
-
static int _bf_ipt_ruleset_set(const struct bf_request *req)¶
Modify existing iptables rules.
- Parameters:
req – The request sent to bpfilter. Can’t be NULL.
- Returns:
0 on success, negative error code on failure.
-
static int _bf_ipt_set_counters_handler(struct xt_counters_info *counters, size_t len)¶
Set counters for a rule.
- Parameters:
counters – iptables structure containing the counters and their value.
len – Length of the counters structure.
- Returns:
0 on success, negative error code on failure.
-
int _bf_ipt_get_info_handler(struct bf_request *request, struct bf_response **response)¶
-
int _bf_ipt_get_entries_handler(struct bf_request *request, struct bf_response **response)¶
Get the entries of a table, including counters.
- Parameters:
request
response
- Returns:
0 on success, negative errno value on failure.
-
static int _bf_ipt_setup(void)¶
-
static int _bf_ipt_teardown(void)¶
-
static int _bf_ipt_request_handler(struct bf_request *request, struct bf_response **response)¶
- Parameters:
request
response
- Returns:
-
static int _bf_ipt_marsh(struct bf_marsh **marsh)¶
-
static int _bf_ipt_unmarsh(struct bf_marsh *marsh)¶
Variables
-
const struct bf_front_ops ipt_front = {.setup = _bf_ipt_setup, .teardown = _bf_ipt_teardown, .request_handler = _bf_ipt_request_handler, .marsh = _bf_ipt_marsh, .unmarsh = _bf_ipt_unmarsh,}¶
-
struct bf_ipt_gen_ruleset_entry¶