Skip to content

Helper function bpf_clone_redirect



Copyright (c) 2015 The Libbpf Authors. All rights reserved.

Clone and redirect the packet associated to skb to another net device of index ifindex. Both ingress and egress interfaces can be used for redirection. The BPF_F_INGRESS value in flags is used to make the distinction (ingress path is selected if the flag is present, egress path otherwise). This is the only flag supported for now.

In comparison with bpf_redirect() helper, bpf_clone_redirect() has the associated cost of duplicating the packet buffer, but this can be executed out of the eBPF program. Conversely, bpf_redirect() is more efficient, but it is handled through an action code where the redirection happens only after the eBPF program has returned.

A call to this helper is susceptible to change the underlying packet buffer. Therefore, at load time, all checks on pointers previously done by the verifier are invalidated and must be performed again, if the helper is used in combination with direct packet access.


0 on success, or a negative error in case of failure. Positive error indicates a potential drop or congestion in the target device. The particular positive error codes are not defined.

static long (* const bpf_clone_redirect)(struct __sk_buff *skb, __u32 ifindex, __u64 flags) = (void *) 13;


Docs could be improved

This part of the docs is incomplete, contributions are very welcome

Program types

This helper call can be used in the following program types:


#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include <linux/pkt_cls.h>

int bpf_clone_redirect_example(struct __sk_buff *skb) {

    __u32 if_index = 2; // interface index to redirect to

    int ret = bpf_clone_redirect(skb, if_index, 0); // redirect to egress path because BPF_F_INGRESS flag is not set

    if (ret) {
        bpf_printk("bpf_clone_redirect error: %d", ret);

    return TC_ACT_OK;

char LICENSE[] SEC("license") = "Dual BSD/GPL";