summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorWillem de Bruijn <willemb@google.com>2013-01-18 07:17:30 +0000
committerPablo Neira Ayuso <pablo@netfilter.org>2013-01-21 12:20:19 +0100
commite6f30c731718db45cec380964dfee210307cfc4a (patch)
treee7be56bbf797e1632d65cbb98f9f557b2bf1a2e8 /include
parent5a406b0cdfa948c7d949b270374737b17ee1679f (diff)
netfilter: x_tables: add xt_bpf match
Support arbitrary linux socket filter (BPF) programs as x_tables match rules. This allows for very expressive filters, and on platforms with BPF JIT appears competitive with traditional hardcoded iptables rules using the u32 match. The size of the filter has been artificially limited to 64 instructions maximum to avoid bloating the size of each rule using this new match. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
-rw-r--r--include/uapi/linux/netfilter/xt_bpf.h17
1 files changed, 17 insertions, 0 deletions
diff --git a/include/uapi/linux/netfilter/xt_bpf.h b/include/uapi/linux/netfilter/xt_bpf.h
new file mode 100644
index 000000000000..5dda450eb55b
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_bpf.h
@@ -0,0 +1,17 @@
+#ifndef _XT_BPF_H
+#define _XT_BPF_H
+
+#include <linux/filter.h>
+#include <linux/types.h>
+
+#define XT_BPF_MAX_NUM_INSTR 64
+
+struct xt_bpf_info {
+ __u16 bpf_program_num_elem;
+ struct sock_filter bpf_program[XT_BPF_MAX_NUM_INSTR];
+
+ /* only used in the kernel */
+ struct sk_filter *filter __attribute__((aligned(8)));
+};
+
+#endif /*_XT_BPF_H */