cbsensor-linux-bpf icon indicating copy to clipboard operation
cbsensor-linux-bpf copied to clipboard
verified publisher icon vmware

Basic Network Isolation/Firewall via tc

Open jrmwooldridge opened this issue 5 years ago • 0 comments

Basic tc Exception Policy Oriented Firewall

  • Basic packet exception policy should be first create
    • Allow core DNS packets, ICMP and perhaps other IP based protocols
  • Dynamic exception list policy will likely be the next step
    • Global BPF Hashmap will likely be needed next

Packet Drop Events

  • First Generate Packet Drop Events Per Packet Level
    • Allows userspace to propagate network events
  • Leverage a BPF Map to cache repetitive dropped packets
    • Reduce number of events sent to userspace/filling up perf output buffers
    • May be similar to or inverse of exception policy map
    • Event Burst cache might be the simplest approach
    • Refer to UDP Event Cache as a guide

jrmwooldridge avatar Jul 24 '20 13:07 jrmwooldridge