netfilter: x_tables: add xt_bpf match

Support arbitrary linux socket filter (BPF) programs as x_tables match rules. This allows for very expressive filters, and on platforms with BPF JIT appears competitive with traditional hardcoded iptables rules using the u32 match. The size of the filter has been artificially limited to 64 instructions maximum to avoid bloating the size of each rule using this new match. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Willem de Bruijn <willemb@google.com> 2013-01-18 02:17:30 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-01-21 06:20:19 -0500
commit: e6f30c731718db45cec380964dfee210307cfc4a (patch)
tree: e7be56bbf797e1632d65cbb98f9f557b2bf1a2e8 /net
parent: 5a406b0cdfa948c7d949b270374737b17ee1679f (diff)
3 files changed, 83 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index bb48607d4ee4..eb2c8ebf6d99 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -811,6 +811,15 @@ config NETFILTER_XT_MATCH_ADDRTYPE
          If you want to compile it as a module, say M here and read
          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
+config NETFILTER_XT_MATCH_BPF
+        tristate '"bpf" match support'
+        depends on NETFILTER_ADVANCED
+        help
+          BPF matching applies a linux socket filter to each packet and
+          accepts those for which the filter returns non-zero.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XT_MATCH_CLUSTER
        tristate '"cluster" match support'
        depends on NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index b3bbda60945e..a1abf87d43bf 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -99,6 +99,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_IDLETIMER) += xt_IDLETIMER.o
 # matches
 obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) += xt_addrtype.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_BPF) += xt_bpf.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
 obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c
new file mode 100644
index 000000000000..12d4da8e6c77
--- /dev/null
+++ b/net/netfilter/xt_bpf.c
@@ -0,0 +1,73 @@
+/* Xtables module to match packets using a BPF filter.
+ * Copyright 2013 Google Inc.
+ * Written by Willem de Bruijn <willemb@google.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/filter.h>
+#include <linux/netfilter/xt_bpf.h>
+#include <linux/netfilter/x_tables.h>
+MODULE_AUTHOR("Willem de Bruijn <willemb@google.com>");
+MODULE_DESCRIPTION("Xtables: BPF filter match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_bpf");
+MODULE_ALIAS("ip6t_bpf");
+static int bpf_mt_check(const struct xt_mtchk_param *par)
+{
+        struct xt_bpf_info *info = par->matchinfo;
+        struct sock_fprog program;
+        program.len = info->bpf_program_num_elem;
+        program.filter = (struct sock_filter __user *) info->bpf_program;
+        if (sk_unattached_filter_create(&info->filter, &program)) {
+                pr_info("bpf: check failed: parse error\n");
+                return -EINVAL;
+        }
+        return 0;
+}
+static bool bpf_mt(const struct sk_buff *skb, struct xt_action_param *par)
+{
+        const struct xt_bpf_info *info = par->matchinfo;
+        return SK_RUN_FILTER(info->filter, skb);
+}
+static void bpf_mt_destroy(const struct xt_mtdtor_param *par)
+{
+        const struct xt_bpf_info *info = par->matchinfo;
+        sk_unattached_filter_destroy(info->filter);
+}
+static struct xt_match bpf_mt_reg __read_mostly = {
+        .name           = "bpf",
+        .revision       = 0,
+        .family         = NFPROTO_UNSPEC,
+        .checkentry     = bpf_mt_check,
+        .match          = bpf_mt,
+        .destroy        = bpf_mt_destroy,
+        .matchsize      = sizeof(struct xt_bpf_info),
+        .me             = THIS_MODULE,
+};
+static int __init bpf_mt_init(void)
+{
+        return xt_register_match(&bpf_mt_reg);
+}
+static void __exit bpf_mt_exit(void)
+{
+        xt_unregister_match(&bpf_mt_reg);
+}
+module_init(bpf_mt_init);
+module_exit(bpf_mt_exit);
author	Willem de Bruijn <willemb@google.com>	2013-01-18 02:17:30 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-01-21 06:20:19 -0500
commit	e6f30c731718db45cec380964dfee210307cfc4a (patch)
tree	e7be56bbf797e1632d65cbb98f9f557b2bf1a2e8 /net
parent	5a406b0cdfa948c7d949b270374737b17ee1679f (diff)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index bb48607d4ee4..eb2c8ebf6d99 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -811,6 +811,15 @@ config NETFILTER_XT_MATCH_ADDRTYPE
811	If you want to compile it as a module, say M here and read	811	If you want to compile it as a module, say M here and read
812	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.	812	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
813		813
		814	config NETFILTER_XT_MATCH_BPF
		815	tristate '"bpf" match support'
		816	depends on NETFILTER_ADVANCED
		817	help
		818	BPF matching applies a linux socket filter to each packet and
		819	accepts those for which the filter returns non-zero.
		820
		821	To compile it as a module, choose M here. If unsure, say N.
		822
814	config NETFILTER_XT_MATCH_CLUSTER	823	config NETFILTER_XT_MATCH_CLUSTER
815	tristate '"cluster" match support'	824	tristate '"cluster" match support'
816	depends on NF_CONNTRACK	825	depends on NF_CONNTRACK


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index b3bbda60945e..a1abf87d43bf 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -99,6 +99,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_IDLETIMER) += xt_IDLETIMER.o
99		99
100	# matches	100	# matches
101	obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) += xt_addrtype.o	101	obj-$(CONFIG_NETFILTER_XT_MATCH_ADDRTYPE) += xt_addrtype.o
		102	obj-$(CONFIG_NETFILTER_XT_MATCH_BPF) += xt_bpf.o
102	obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o	103	obj-$(CONFIG_NETFILTER_XT_MATCH_CLUSTER) += xt_cluster.o
103	obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o	104	obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
104	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o	105	obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o


diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c new file mode 100644 index 000000000000..12d4da8e6c77 --- /dev/null +++ b/net/netfilter/xt_bpf.c
@@ -0,0 +1,73 @@
		1	/* Xtables module to match packets using a BPF filter.
		2	* Copyright 2013 Google Inc.
		3	* Written by Willem de Bruijn <willemb@google.com>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 as
		7	* published by the Free Software Foundation.
		8	*/
		9
		10	#include <linux/module.h>
		11	#include <linux/skbuff.h>
		12	#include <linux/filter.h>
		13
		14	#include <linux/netfilter/xt_bpf.h>
		15	#include <linux/netfilter/x_tables.h>
		16
		17	MODULE_AUTHOR("Willem de Bruijn <willemb@google.com>");
		18	MODULE_DESCRIPTION("Xtables: BPF filter match");
		19	MODULE_LICENSE("GPL");
		20	MODULE_ALIAS("ipt_bpf");
		21	MODULE_ALIAS("ip6t_bpf");
		22
		23	static int bpf_mt_check(const struct xt_mtchk_param *par)
		24	{
		25	struct xt_bpf_info *info = par->matchinfo;
		26	struct sock_fprog program;
		27
		28	program.len = info->bpf_program_num_elem;
		29	program.filter = (struct sock_filter __user *) info->bpf_program;
		30	if (sk_unattached_filter_create(&info->filter, &program)) {
		31	pr_info("bpf: check failed: parse error\n");
		32	return -EINVAL;
		33	}
		34
		35	return 0;
		36	}
		37
		38	static bool bpf_mt(const struct sk_buff skb, struct xt_action_param par)
		39	{
		40	const struct xt_bpf_info *info = par->matchinfo;
		41
		42	return SK_RUN_FILTER(info->filter, skb);
		43	}
		44
		45	static void bpf_mt_destroy(const struct xt_mtdtor_param *par)
		46	{
		47	const struct xt_bpf_info *info = par->matchinfo;
		48	sk_unattached_filter_destroy(info->filter);
		49	}
		50
		51	static struct xt_match bpf_mt_reg __read_mostly = {
		52	.name = "bpf",
		53	.revision = 0,
		54	.family = NFPROTO_UNSPEC,
		55	.checkentry = bpf_mt_check,
		56	.match = bpf_mt,
		57	.destroy = bpf_mt_destroy,
		58	.matchsize = sizeof(struct xt_bpf_info),
		59	.me = THIS_MODULE,
		60	};
		61
		62	static int __init bpf_mt_init(void)
		63	{
		64	return xt_register_match(&bpf_mt_reg);
		65	}
		66
		67	static void __exit bpf_mt_exit(void)
		68	{
		69	xt_unregister_match(&bpf_mt_reg);
		70	}
		71
		72	module_init(bpf_mt_init);
		73	module_exit(bpf_mt_exit);