Ever dreamed of converting your iptables configuration into BPF ?

This is now possible using the great, the awesome, named iptables2bpf tool!

What the hell ?

OK, breath now. Think you are a crazy person who enjoy putting firewalls in production, but you are never sure whether you missed a protocol, and wait for people to complain.

I do not understand!

marcadet:~# iptables -F
marcadet:~# iptables -X
marcadet:~# iptables -A INPUT -p tcp -s 192.168.0.23 --dport 22 -j ACCEPT
marcadet:~# iptables -A INPUT -p udp -j ACCEPT
marcadet:~# iptables-save > /tmp/tables
toady@marcadet:~/local/scm/svn/iptables-graph$ ./iptables2bpf.py /tmp/tables
 ! (  tcp and src host 192.168.0.23 and dst port 22 || udp)
marcadet:~# tcpdump -i eth1 -n '! (  tcp and src host 192.168.0.23 and dst port 22 || udp)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

-j ACCEPT ?

Yeah, you are not going to put a firewall in production without testing your BPF first right ? you are smart!

The code, luke! where is that stuff ?

svn co http://software.inl.fr/svn/mirror/tools/iptables-graph
wget http://www.wallinfire.net/files/iptables2bpf.py