|
|
|
|
|
|
by dangisafascist
3260 days ago
|
|
|
For experimentation and testing, a kernel module for each rule doesn't seem unworkable. Just hide all the details behind a nice tool. For production, placing all rules in a single module seems best. If you could avoid the overhead of executing BPF in production, wouldn't you? I agree with the privilege argument but I don't think normal users can filter packets or add tracing with the current situation either. |
|
|