An eBPF-based packet filtering framework.
bpfilter is an eBPF-based packet filtering framework designed to translate filtering rules into BPF programs. It comprises three main components:
- A daemon that runs on the host, translating filtering rules into BPF programs.
- A lightweight library to facilitate communication with the daemon.
- A dedicated command line interface to define the filtering rules.
A typical usage workflow would be to start the bpfilter daemon, then define the filtering rules using bfcli (part of the bpfilter project), nftables or iptables. The bpfilter daemon will be responsible for translating the filtering rules into custom BPF programs, and loading them on the system.
Detailed information can be found in the documentation.
-
Install dependencies
# To build bpfilter sudo dnf install -y \ bison \ bpftool \ clang \ clang-tools-extra \ cmake \ flex \ jq \ libcmocka-devel \ doxygen \ git \ lcov \ libasan \ libbpf-devel \ libnl3-devel \ libubsan \ python3-breathe \ python3-furo \ python3-linuxdoc \ python3-sphinx \ pkgconf # To build nftables and iptables sudo dnf install \ autoconf \ automake \ bison \ flex \ gmp-devel \ libedit-devel \ libmnl-devel \ libnftnl-devel \ libtool
-
Build
bpfiltercmake -S $SOURCES_DIR -B $BUILD_DIR make -C $BUILD_DIR make -C $BUILD_DIR test
-
Build custom versions of
nftablesandiptables(optional)make -C $BUILD_DIR nftables iptables -
Start the
bpfilterdaemonsudo $BUILD_DIR/src/bpfilter -
Configure the filtering rules
- For
bfcli:$BUILD_DIR/output/bin/bfcli --file $RULESET
- For
nftables:sudo $BUILD_DIR/tools/install/sbin/nft --bpf ... - For
iptables:sudo $BUILD_DIR/tools/install/sbin/iptables --bpf ...
- For
bpfilter is licensed under GPLv2. You can find the licensing details in the COPYING file.
bpfilter was initially developed by Dmitrii Banshchikov as a Linux kernel usermode helper.
For further information and updates, visit the bpfilter documentation.