Content is rather sparse, but still better than no manpage at all. Cc: Willem de Bruijn <willemb@xxxxxxxxxx> Signed-off-by: Phil Sutter <phil@xxxxxx> --- configure.ac | 3 +- utils/.gitignore | 1 + utils/Makefile.am | 3 +- utils/nfbpf_compile.8.in | 70 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 utils/nfbpf_compile.8.in diff --git a/configure.ac b/configure.ac index 448ec918fd89b..e6c9832fa43ba 100644 --- a/configure.ac +++ b/configure.ac @@ -252,7 +252,8 @@ AC_CONFIG_FILES([Makefile extensions/GNUmakefile include/Makefile libxtables/Makefile utils/Makefile include/xtables-version.h include/iptables/internal.h iptables/xtables-monitor.8 - utils/nfnl_osf.8]) + utils/nfnl_osf.8 + utils/nfbpf_compile.8]) AC_OUTPUT diff --git a/utils/.gitignore b/utils/.gitignore index 7c6afbf4e6a52..6300812b1701b 100644 --- a/utils/.gitignore +++ b/utils/.gitignore @@ -1,3 +1,4 @@ /nfnl_osf /nfnl_osf.8 /nfbpf_compile +/nfbpf_compile.8 diff --git a/utils/Makefile.am b/utils/Makefile.am index 80029e303ff3b..d09a69749b85f 100644 --- a/utils/Makefile.am +++ b/utils/Makefile.am @@ -17,6 +17,7 @@ nfnl_osf_LDADD = ${libnfnetlink_LIBS} endif if ENABLE_BPFC +man_MANS += nfbpf_compile.8 sbin_PROGRAMS += nfbpf_compile nfbpf_compile_LDADD = -lpcap endif @@ -26,4 +27,4 @@ sbin_PROGRAMS += nfsynproxy nfsynproxy_LDADD = -lpcap endif -CLEANFILES = nfnl_osf.8 +CLEANFILES = nfnl_osf.8 nfbpf_compile.8 diff --git a/utils/nfbpf_compile.8.in b/utils/nfbpf_compile.8.in new file mode 100644 index 0000000000000..d02979a5143ef --- /dev/null +++ b/utils/nfbpf_compile.8.in @@ -0,0 +1,70 @@ +.TH NFBPF_COMPILE 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@" + +.SH NAME +nfbpf_compile \- generate bytecode for use with xt_bpf +.SH SYNOPSIS + +.ad l +.in +8 +.ti -8 +.B nfbpf_compile +[ +.I LLTYPE +] +.I PROGRAM + +.ti -8 +.I LLTYPE +:= { +.BR EN10MB " | " RAW " | " SLIP " | " +.I ... +} + +.SH DESCRIPTION +The +.B nfbpf_compile +utility aids in generating BPF byte code suitable for passing to +the iptables +.B bpf +match. + +.SH OPTIONS + +.TP +.I LLTYPE +Link-layer header type to operate on. This is a name as defined in +.RB < pcap/dlt.h > +but with the leading +.B DLT_ +prefix stripped. For use with iptables, +.B RAW +should be the right choice (it's also the default if not specified). + +.TP +.I PROGRAM +The BPF expression to compile, see +.BR pcap-filter (7) +for a description of the language. + +.SH EXIT STATUS +The program returns 0 on success, 1 otherwise. + +.SH EXAMPLE +Match incoming TCP packets with size bigger than 100 bytes: +.P +.in +8 +.EE +bpf=$(nfbpf_compile 'tcp and greater 100') +.br +iptables -A INPUT -m bpf --bytecode "$bpf" -j ACCEPT +.RE +.P +The description of +.B bpf +match in +.BR iptables-extensions (8) +lists a few more examples. + +.SH SEE ALSO +.BR iptables-extensions (8), +.BR pcap-filter (7) -- 2.20.1