Removing clsact while eBPF program is still attached

Removing clsact while eBPF program is still attached

[Dropify Drop]

Hi,
I am playing around with eBPF + TC and wrote some eBPF code to
intercept egress and ingress traffic (clsact qdisc) .
All works great but while the eBPF program is still attached I can via
command line remove the associated clsact qdisc (tc qdisc del dev
<interface> clsact) and the eBPF program no longer receives the
traffic. It is kind of expected but any root user can silently disable
it.

Is there any better approach?

eBPF program only allows traffic to/from some preconfigured IP & Ports.

Thanks & regard,
Dominic

Re: Removing clsact while eBPF program is still attached

[Toke Høiland-Jørgensen]

Dropify Drop <d.dropify@gmail.com> writes:

> Hi,
> I am playing around with eBPF + TC and wrote some eBPF code to
> intercept egress and ingress traffic (clsact qdisc) .
> All works great but while the eBPF program is still attached I can via
> command line remove the associated clsact qdisc (tc qdisc del dev
> <interface> clsact) and the eBPF program no longer receives the
> traffic. It is kind of expected but any root user can silently disable
> it.

Well, any root user can also down the interface or do, well, anything,
really, that's kinda the point of having root...

So, erm, don't give root access to people you don't trust not to mess up
your system? :)

-Toke