I'm going to implement a firewall on the traffic control classifier(man 8 tc-bpf). The firewall is to filter outgoing traffic. But, there is one point which makes the task really hard. My userspace agent must know, is that filter(classifier) loaded and passing all outgoing traffic through itself or not. Please tell me:
One needs privileges to set (or remove) TC classifiers, so unprivileged users should not be able to remove your filter. I don't remember the exact set of capabilities required, on recent kernels this is probably CAP_BPF
and CAP_NET_ADMIN
, older kernels might require CAP_SYS_ADMIN
(root).
I think there should be a Netlink notification when the classifiers are changed, you could probably hook into that.
The question is very broad. Are you asking how to set up a firewall on Linux? There are several frameworks available. If you want to do it with eBPF, the XDP hook (at the driver level) is something to consider, it will have a better performance than hooking on TC.