netfilter: x_tables: add xt_bpf match

Support arbitrary linux socket filter (BPF) programs as x_tables match rules. This allows for very expressive filters, and on platforms with BPF JIT appears competitive with traditional hardcoded iptables rules using the u32 match. The size of the filter has been artificially limited to 64 instructions maximum to avoid bloating the size of each rule using this new match. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Willem de Bruijn <willemb@google.com> 2013-01-18 07:17:30 +0000
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-01-21 12:20:19 +0100
commit: e6f30c731718db45cec380964dfee210307cfc4a (patch)
tree: e7be56bbf797e1632d65cbb98f9f557b2bf1a2e8 /net/netfilter/Kconfig
parent: 5a406b0cdfa948c7d949b270374737b17ee1679f (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index bb48607d4ee4..eb2c8ebf6d99 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -811,6 +811,15 @@ config NETFILTER_XT_MATCH_ADDRTYPE
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
+config NETFILTER_XT_MATCH_BPF
+	tristate '"bpf" match support'
+	depends on NETFILTER_ADVANCED
+	help
+	  BPF matching applies a linux socket filter to each packet and
+	  accepts those for which the filter returns non-zero.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 config NETFILTER_XT_MATCH_CLUSTER
 	tristate '"cluster" match support'
 	depends on NF_CONNTRACK
author	Willem de Bruijn <willemb@google.com>	2013-01-18 07:17:30 +0000
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-01-21 12:20:19 +0100
commit	e6f30c731718db45cec380964dfee210307cfc4a (patch)
tree	e7be56bbf797e1632d65cbb98f9f557b2bf1a2e8 /net/netfilter/Kconfig
parent	5a406b0cdfa948c7d949b270374737b17ee1679f (diff)