diff options
author | Phil Sutter <phil@nwl.cc> | 2019-01-16 22:47:59 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-01-18 02:52:30 +0100 |
commit | 032dc4a18ab86173847b6016baf0819ccd7641c5 (patch) | |
tree | ba35e12bd5a061e82b334534bd2b988eedd7be9c /utils | |
parent | 5ca9acf51adf9dcc8e0d82cd8f5b9b2514f900ee (diff) |
utils: Add a manpage for nfbpf_compile
Content is rather sparse, but still better than no manpage at all.
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'utils')
-rw-r--r-- | utils/.gitignore | 1 | ||||
-rw-r--r-- | utils/Makefile.am | 3 | ||||
-rw-r--r-- | utils/nfbpf_compile.8.in | 70 |
3 files changed, 73 insertions, 1 deletions
diff --git a/utils/.gitignore b/utils/.gitignore index 7c6afbf4..6300812b 100644 --- a/utils/.gitignore +++ b/utils/.gitignore @@ -1,3 +1,4 @@ /nfnl_osf /nfnl_osf.8 /nfbpf_compile +/nfbpf_compile.8 diff --git a/utils/Makefile.am b/utils/Makefile.am index 80029e30..d09a6974 100644 --- a/utils/Makefile.am +++ b/utils/Makefile.am @@ -17,6 +17,7 @@ nfnl_osf_LDADD = ${libnfnetlink_LIBS} endif if ENABLE_BPFC +man_MANS += nfbpf_compile.8 sbin_PROGRAMS += nfbpf_compile nfbpf_compile_LDADD = -lpcap endif @@ -26,4 +27,4 @@ sbin_PROGRAMS += nfsynproxy nfsynproxy_LDADD = -lpcap endif -CLEANFILES = nfnl_osf.8 +CLEANFILES = nfnl_osf.8 nfbpf_compile.8 diff --git a/utils/nfbpf_compile.8.in b/utils/nfbpf_compile.8.in new file mode 100644 index 00000000..d02979a5 --- /dev/null +++ b/utils/nfbpf_compile.8.in @@ -0,0 +1,70 @@ +.TH NFBPF_COMPILE 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@" + +.SH NAME +nfbpf_compile \- generate bytecode for use with xt_bpf +.SH SYNOPSIS + +.ad l +.in +8 +.ti -8 +.B nfbpf_compile +[ +.I LLTYPE +] +.I PROGRAM + +.ti -8 +.I LLTYPE +:= { +.BR EN10MB " | " RAW " | " SLIP " | " +.I ... +} + +.SH DESCRIPTION +The +.B nfbpf_compile +utility aids in generating BPF byte code suitable for passing to +the iptables +.B bpf +match. + +.SH OPTIONS + +.TP +.I LLTYPE +Link-layer header type to operate on. This is a name as defined in +.RB < pcap/dlt.h > +but with the leading +.B DLT_ +prefix stripped. For use with iptables, +.B RAW +should be the right choice (it's also the default if not specified). + +.TP +.I PROGRAM +The BPF expression to compile, see +.BR pcap-filter (7) +for a description of the language. + +.SH EXIT STATUS +The program returns 0 on success, 1 otherwise. + +.SH EXAMPLE +Match incoming TCP packets with size bigger than 100 bytes: +.P +.in +8 +.EE +bpf=$(nfbpf_compile 'tcp and greater 100') +.br +iptables -A INPUT -m bpf --bytecode "$bpf" -j ACCEPT +.RE +.P +The description of +.B bpf +match in +.BR iptables-extensions (8) +lists a few more examples. + +.SH SEE ALSO +.BR iptables-extensions (8), +.BR pcap-filter (7) |