Expand description
pktbaffle — compile libpcap-style packet filter expressions into classic BPF (cBPF) or extended BPF (eBPF) programs.
§Overview
pktbaffle turns the same filter syntax used by tcpdump and
pcap_compile(3) into compact bytecode with no C runtime dependency.
The output can be attached to a raw socket with SO_ATTACH_FILTER
(classic BPF) or loaded into an XDP / TC hook (extended BPF).
§Quick start
use pktbaffle::{compile, LinkType, Target};
// Classic BPF — attach to a raw socket with SO_ATTACH_FILTER
let prog = compile("tcp port 443", LinkType::Ethernet, Target::Classic).unwrap();
assert!(prog.len() > 0);
let bytes = prog.to_le_bytes(); // 8 bytes per instruction, little-endian
// eBPF — load into an XDP or TC program
let prog = compile("tcp port 443", LinkType::Ethernet, Target::Extended).unwrap();
let bytes = prog.to_le_bytes();§Filter syntax
The filter language is a subset of the libpcap expression syntax.
Primitives can be combined with and, or, not (or !);
juxtaposition is treated as AND.
| Expression | Matches |
|---|---|
host 192.168.1.1 | IPv4 src or dst |
src host 10.0.0.1 | IPv4 source only |
net 10.0.0.0/8 | Any address in 10.0.0.0/8 |
tcp port 443 | TCP to/from port 443 |
udp portrange 1024-65535 | UDP ephemeral ports |
port 80 or port 443 | HTTP or HTTPS |
tcp and not port 22 | TCP excluding SSH |
ether host aa:bb:cc:dd:ee:ff | Ethernet MAC address |
vlan 100 | VLAN-tagged, ID 100 |
mpls | Any MPLS-labeled packet |
ip multicast | IPv4 multicast destination |
ip6 and tcp port 80 | IPv6 HTTP traffic |
len <= 64 | Packets ≤ 64 bytes |
tcp[13] & 0x02 != 0 | TCP SYN flag (raw byte access) |
§Compilation pipeline
Calling compile runs the following stages in sequence:
- Lex (
lexer::lex) — tokenise the input string into aVec<lexer::Spanned>. - Parse (
parser::parse) — build anast::Exprtree. - Codegen (
codegen::compileorebpf_codegen::compile) — emit BPF instructions with a two-pass jump-patch strategy.
You can stop after any stage if you only need the intermediate
representation. parse is a convenience wrapper for steps 1–2.
§Link types
LinkType tells the compiler how to interpret packet offsets:
| Variant | Header | Typical use |
|---|---|---|
LinkType::Ethernet | 14-byte Ethernet II | AF_PACKET / pcap |
LinkType::RawIp | None — packet starts at IP | SOCK_RAW + IPPROTO_* |
LinkType::LinuxSll | 16-byte Linux SLL | any interface in pcap |
§Feature flags
| Feature | Description |
|---|---|
vm | Enable the software cBPF interpreter (bpf::Program::matches) |
Re-exports§
Modules§
- ast
- Abstract syntax tree for libpcap-style filter expressions.
- bpf
- Classic BPF (cBPF) instruction encoding.
- codegen
- BPF bytecode compiler.
- ebpf
- Extended BPF (eBPF) instruction encoding.
- ebpf_
codegen - eBPF code generator.
- error
- Error types returned by all fallible operations in this crate.
- lexer
- Tokenizer for libpcap-style filter expressions.
- optimizer
- Peephole optimizer for BPF instruction sequences.
- parser
- Recursive-descent parser for libpcap-style filter expressions.
Enums§
- Program
- A compiled packet filter program, either cBPF or eBPF.
- Target
- Compilation target: classic BPF or extended BPF.