如何在流量过滤器 (tc-bpf) 中保护 eBPF 防火墙
[英]How to protect an eBPF firewall in traffic filter (tc-bpf)
问题描述
I'm going to implement a firewall on the traffic control classifier(man 8 tc-bpf).
我将在流量控制分类器(man 8 tc-bpf)上实施防火墙。 The firewall is to filter outgoing traffic.防火墙用于过滤传出流量。 But, there is one point which makes the task really hard.但是,有一点使这项任务变得非常困难。 My userspace agent must know, is that filter(classifier) loaded and passing all outgoing traffic through itself or not.我的用户空间代理必须知道,过滤器(分类器)是否加载并通过自身传递所有传出流量。 Please tell me:请告诉我:
- How to protect loaded filter from unloading(tc filter [ replace | delete]) or other measures which could make it aside of all traffic?如何保护已加载的过滤器免于卸载(tc filter [replace | delete])或其他可能使其远离所有流量的措施?
- How to hook up on traffic control filters changing to let userspace agent to take appropriate measures.如何连接流量控制过滤器的变化,让用户空间代理采取适当的措施。
- Other ways to implement such kind of the firewall.其他实现此类防火墙的方法。
1 个解决方案
解决方案1
2 已采纳 2021-08-19 13:59:52
One needs privileges to set (or remove) TC classifiers, so unprivileged users should not be able to remove your filter.
需要特权来设置(或删除)TC 分类器,因此没有特权的用户不应该能够删除您的过滤器。 I don't remember the exact set of capabilities required, on recent kernels this is probably CAP_BPFandCAP.NET_ADMIN, older kernels might requireCAP_SYS_ADMIN(root).我不记得所需的确切功能集,在最近的内核上这可能是CAP_BPF和CAP.NET_ADMIN,旧内核可能需要CAP_SYS_ADMIN(root)。I think there should be a Netlink notification when the classifiers are changed, you could probably hook into that.
我认为当分类器改变时应该有一个 Netlink 通知,你可能会挂钩。The question is very broad.
这个问题很广泛。 Are you asking how to set up a firewall on Linux?请问Linux怎么设置防火墙? There are several frameworks available.有几个可用的框架。 If you want to do it with eBPF, the XDP hook (at the driver level) is something to consider, it will have a better performance than hooking on TC.如果你想用 eBPF 来做,XDP 挂钩(在驱动程序级别)是需要考虑的,它会比 TC 上的挂钩有更好的性能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.