[英]How to protect an eBPF firewall in traffic filter (tc-bpf)
I'm going to implement a firewall on the traffic control classifier(man 8 tc-bpf).我将在流量控制分类器(man 8 tc-bpf)上实施防火墙。 The firewall is to filter outgoing traffic.
防火墙用于过滤传出流量。 But, there is one point which makes the task really hard.
但是,有一点使这项任务变得非常困难。 My userspace agent must know, is that filter(classifier) loaded and passing all outgoing traffic through itself or not.
我的用户空间代理必须知道,过滤器(分类器)是否加载并通过自身传递所有传出流量。 Please tell me:
请告诉我:
One needs privileges to set (or remove) TC classifiers, so unprivileged users should not be able to remove your filter.需要特权来设置(或删除)TC 分类器,因此没有特权的用户不应该能够删除您的过滤器。 I don't remember the exact set of capabilities required, on recent kernels this is probably
CAP_BPF
and CAP.NET_ADMIN
, older kernels might require CAP_SYS_ADMIN
(root).我不记得所需的确切功能集,在最近的内核上这可能是
CAP_BPF
和CAP.NET_ADMIN
,旧内核可能需要CAP_SYS_ADMIN
(root)。
I think there should be a Netlink notification when the classifiers are changed, you could probably hook into that.我认为当分类器改变时应该有一个 Netlink 通知,你可能会挂钩。
The question is very broad.这个问题很广泛。 Are you asking how to set up a firewall on Linux?
请问Linux怎么设置防火墙? There are several frameworks available.
有几个可用的框架。 If you want to do it with eBPF, the XDP hook (at the driver level) is something to consider, it will have a better performance than hooking on TC.
如果你想用 eBPF 来做,XDP 挂钩(在驱动程序级别)是需要考虑的,它会比 TC 上的挂钩有更好的性能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.