iptables

A custom iptables binary is required to use with bpfilter, but it can be build directly from the bpfilter source tree: make iptables. Once you have build iptables, you can force it to communicate with bpfilter instead of the kernel using --bpf.

The following filters are supported:

  • Source IPv4 address and mask.

  • Destination IPv4 address and mask.

  • Layer 4 protocol.

Filtering rules can be defined for any table, and ACCEPT and DROP action are supported. The ruleset can also be fetched back from bpfilter. For example:

# Start bpfilter daemon
$ sudo bpfilter

# Add a new rule to block ping requests
$ sudo iptables -I INPUT --bpf -p icmp -j DROP

# Show the rules and counters after the host was pinged
$ sudo iptables --bpf -nv -L
Chain INPUT (policy ACCEPT 327 packets, 42757 bytes)
pkts bytes target     prot opt in     out     source               destination
    2   196 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination