How to protect an eBPF firewall in traffic filter (tc-bpf)

I’m going to implement a firewall on the traffic control classifier(man 8 tc-bpf). The firewall is to filter outgoing traffic. But, there is one point which makes the task really hard. My userspace agent must know, is that filter(classifier) loaded and passing all outgoing traffic through itself or not. Please tell me:

1. How to protect loaded filter from unloading(tc filter [ replace | delete]) or other measures which could make it aside of all traffic?
2. How to hook up on traffic control filters changing to let userspace agent to take appropriate measures.
3. Other ways to implement such kind of the firewall.

Answer

1. One needs privileges to set (or remove) TC classifiers, so unprivileged users should not be able to remove your filter. I don’t remember the exact set of capabilities required, on recent kernels this is probably CAP_BPF and CAP_NET_ADMIN, older kernels might require CAP_SYS_ADMIN (root).

2. I think there should be a Netlink notification when the classifiers are changed, you could probably hook into that.

3. The question is very broad. Are you asking how to set up a firewall on Linux? There are several frameworks available. If you want to do it with eBPF, the XDP hook (at the driver level) is something to consider, it will have a better performance than hooking on TC.