ipt

iptables front-end for bpfilter .

This front-end provides support for iptables command to bpfilter .

iptables requires the INPUT , FORWARD , and OUTPUT chains to be defined with the ACCEPT policy by default, which mean they have no effect except counting the packets. bpfilter doesn’t define those chains by default, even with this front-end enabled. Instead, it emulates then if they are not defined when iptables request the ruleset. See _bf_ipt_gen_get_ruleset .

Before running the requests command, iptables will send two requests to bpfilter to populate a local cache:

  • IPT_SO_GET_INFO : fetch the ruleset size, enabled hooks, number of rules, and offset of the rules.

  • IPT_SO_GET_ENTRIES : same information as IPT_SO_GET_INFO plus the ruleset. iptables always sends the whole ruleset to bpfilter , even if only a single rule has changed.

bpfilter will generate the ruleset in iptables format on demand, as long as the rules have been defined by iptables previously. iptables ruleset is defined as an ipt_replace structure with the following fields:

  • name : name of the table, only “filter” is supported.

  • valid_hooks : flags of the enabled hooks (hooks with a ruleset defined).

  • num_entries : number of ipt_entry in the structure (hanging off the end in a flexible array member).

  • size : total size of the ipt_entry structures.

  • hook_entry : offset of each chain’s first ipt_entry starting from ipt_replace.entries .

  • underflow : offset of each chain’s policy ipt_entry starting from ipt_replace.entries .

  • num_counters : identical to ipt_replace.num_entries .

  • counters : unused.

  • entries : flexible array member of ipt_entry for the chains.

The bf_rule of each chain are translated into ipt_entry structures. This structure is documented in the Linux kernel sources. All the ipt_entry structures defined for bf_rule will have the same size because none of them will contain any matcher ( iptables matchers are not supported by bpfilter ), however after each ipt_entry is located an ipt_entry_target to define the rule’s verdict. ipt_entry_target have different sizes depending on the exact type of target (verdict, jump, …): bpfilter only supports verdict ( ipt_standard_target ).

Then, a last ipt_entry is added for the error target, which is expected by iptables .

Defines

bf_ipt_replace_size(ipt_replace_ptr)

Get size of an ipt_replace structure.

Parameters:
  • ipt_replace_ptr – Pointer to a valid ipt_replace structure.

Returns:

Size of the structure, including variable length entries field.

Functions

static int _bf_ipt_target_to_verdict(struct ipt_entry_target *ipt_tgt, enum bf_verdict *verdict)

Convert an iptables target to a bpfilter verdict.

Only the NF_ACCEPT and NF_DROP standard target are supported, other targets and user-defined chains jumps will be rejected.

Parameters:
  • ipt_tgtiptables target to convert.

  • verdictbpfilter verdict, corresponding to ipt_tgt .

Returns:

0 on success, or na egative errno value on error.

static int _bf_verdict_to_ipt_target(enum bf_verdict verdict, struct ipt_entry_target *ipt_tgt)
static int _bf_ipt_entry_to_rule(const struct ipt_entry *entry, struct bf_rule **rule)

Translate an iptables rule into a bpfilter rule.

Parameters:
  • entryiptables rule. Can’t be NULL.

  • rulebpfilter rule. Can’t be NULL. On success, points to a valid rule.

Returns:

0 on success, or a negative errno value on error.

static int _bf_rule_to_ipt_entry(const struct bf_rule *rule, struct ipt_entry *entry)

Translates a bf_rule object into an ipt_entry .

Parameters:
  • rule – bf_rule to translate. Can’t be NULL.

  • entryipt_entry created from the bf_rule . Can’t be NULL.

Returns:

0 on success, or a negative errno value on error.

static int _bf_ipt_entries_to_chain(struct bf_chain **chain, int ipt_hook, struct ipt_entry *first, struct ipt_entry *last)
static int _bf_ipt_gen_get_ruleset(struct bf_ipt_gen_ruleset_entry *ruleset, size_t *nrules, bf_list *dummy_chains)

Get the list of chains and codegens for BF_FRONT_IPT .

Parameters:
  • ruleset – Array of size NF_INET_NUMHOOKS to be filled with the codegen and chain for every hook (if defined). Mandatory chains will be allocated and their pointer added to this array if they are not yet defined. Can’t be NULL.

  • nrules – On success, contain the total number of rules associated with the BF_FRONT_IPT front-end. This is the number of rules from iptables’ perspective: each chain has an extra rule for the policy. Can’t be NULL.

  • dummy_chains – On success, this list will contain pointers to the mandatory chains created to comply with iptables’ behaviour. The caller will own this list and the pointers contained in it. Can’t be NULL.

Returns:

0 on success, or a negative errno value on failure.

static int _bf_ipt_gen_ipt_replace(struct ipt_replace **replace, bool with_counters)

Generate the ipt_replace structure for the current ruleset.

Parameters:
  • replaceipt_replace structure to allocate and fill. Can’t be NULL.

  • with_counters – If true, the rule counters in replace will be filled with the correct values. Otherwise, the counters will default to 0.

Returns:

0 on success, or a negative errno value on failure.

static int _bf_ipt_xlate_ruleset_set(struct ipt_replace *ipt, struct bf_chain *(*chains)[NF_INET_NUMHOOKS])

Translate iptables rules into bpfilter format.

Parameters:
  • ipt – iptables rules.

  • chains – Array of chains. The array is big enough to fit one chain per hook. Can’t be NULL.

Returns:

0 on success, negative error code on failure.

static int _bf_ipt_ruleset_set(const struct bf_request *req)

Modify existing iptables rules.

Parameters:
  • req – The request sent to bpfilter. Can’t be NULL.

Returns:

0 on success, negative error code on failure.

static int _bf_ipt_set_counters_handler(struct xt_counters_info *counters, size_t len)

Set counters for a rule.

Parameters:
  • counters – iptables structure containing the counters and their value.

  • len – Length of the counters structure.

Returns:

0 on success, negative error code on failure.

int _bf_ipt_get_info_handler(struct bf_request *request, struct bf_response **response)
int _bf_ipt_get_entries_handler(struct bf_request *request, struct bf_response **response)

Get the entries of a table, including counters.

Parameters:
  • request

  • response

Returns:

0 on success, negative errno value on failure.

static int _bf_ipt_setup(void)
static int _bf_ipt_teardown(void)
static int _bf_ipt_request_handler(struct bf_request *request, struct bf_response **response)
Parameters:
  • request

  • response

Returns:

static int _bf_ipt_marsh(struct bf_marsh **marsh)
static int _bf_ipt_unmarsh(struct bf_marsh *marsh)

Variables

const struct bf_front_ops ipt_front = {.setup = _bf_ipt_setup, .teardown = _bf_ipt_teardown, .request_handler = _bf_ipt_request_handler, .marsh = _bf_ipt_marsh, .unmarsh = _bf_ipt_unmarsh,}
struct bf_ipt_gen_ruleset_entry

Public Members

struct bf_cgen *cgen
struct bf_chain *chain