1 Match using Linux Socket Filter. Expects a BPF program in decimal format. This 2 is the format generated by the \fBnfbpf_compile\fP utility. 3 .TP 4 \fB\-\-bytecode\fP \fIcode\fP 5 Pass the BPF byte code format (described in the example below). 6 .PP 7 The code format is similar to the output of the tcpdump -ddd command: one line 8 that stores the number of instructions, followed by one line for each 9 instruction. Instruction lines follow the pattern 'u16 u8 u8 u32' in decimal 10 notation. Fields encode the operation, jump offset if true, jump offset if 11 false and generic multiuse field 'K'. Comments are not supported. 12 .PP 13 For example, to read only packets matching 'ip proto 6', insert the following, 14 without the comments or trailing whitespace: 15 .IP 16 4 # number of instructions 17 .br 18 48 0 0 9 # load byte ip->proto 19 .br 20 21 0 1 6 # jump equal IPPROTO_TCP 21 .br 22 6 0 0 1 # return pass (non-zero) 23 .br 24 6 0 0 0 # return fail (zero) 25 .PP 26 You can pass this filter to the bpf match with the following command: 27 .IP 28 iptables \-A OUTPUT \-m bpf \-\-bytecode '4,48 0 0 9,21 0 1 6,6 0 0 1,6 0 0 0' \-j ACCEPT 29 .PP 30 Or instead, you can invoke the nfbpf_compile utility. 31 .IP 32 iptables \-A OUTPUT \-m bpf \-\-bytecode "`nfbpf_compile RAW 'ip proto 6'`" \-j ACCEPT 33 .PP 34 You may want to learn more about BPF from FreeBSD's bpf(4) manpage. 35
