|
|
|
|
|
|
by glandium
3261 days ago
|
|
|
BPF was initially added for packet filtering, iirc. Compiling kernel modules for each filtering rules you'd add would not really work out very well. Since then, BPF has grown to be used by more subsystems, including tracing, and allows user programs to do advanced (and fast) things. See for example https://github.com/ahupowerdns/secfilter . AFAIK, this doesn't require privileges, which loading a kernel module would. |
|
|
For production, placing all rules in a single module seems best. If you could avoid the overhead of executing BPF in production, wouldn't you?
I agree with the privilege argument but I don't think normal users can filter packets or add tracing with the current situation either.