科技回声

7 条评论

ldng超过 5 年前

Maybe someone can enlighten me because I'm failing to see the relevance of SystemD here.So the idea is, instead of having a central firewall managing all the host rules, each service define it's own firewall policy ? How do I override a policy ?I maybe missing something but somehow I'm not sure it's the right place to do this.I'll end up joining the camp of SystemD does too much and breaks a lot of POSIX semantics making Linux systems hard to debug.Lately it's been getting more and more in my way. Things that I have problems with lately, DNS, cgroup and namespace. Every time I've lost a considerable amount of time because of poorly documented and mostly unexpected SystemD behavior. Color me annoyed.Edit: Hum, well, wasn't supposed to but it end up into a rant

评论 #20843817 未加载

评论 #20843081 未加载

评论 #20843053 未加载

评论 #20844146 未加载

arianvanp超过 5 年前

This approach is very similar to what <a href="https://github.com/cilium/cilium" rel="nofollow">https://github.com/cilium/cilium</a> is doing for containers right? I wonder if it would be easy to reuse the battle-tested bpf programs that cilium provides and load them into systemd units.There is more crazy shit that we can do. Like set up entire service meshes with load balancers for your systemd units. Very neat.

评论 #20840159 未加载

nailer超过 5 年前

If you're wondering what BPF is: <a href="https://linux-audit.com/bpfilter-next-generation-linux-firewall/" rel="nofollow">https://linux-audit.com/bpfilter-next-generation-linux-firew...</a> and <a href="https://en.wikipedia.org/wiki/Berkeley_Packet_Filter" rel="nofollow">https://en.wikipedia.org/wiki/Berkeley_Packet_Filter</a>

评论 #20840800 未加载

justicezyx超过 5 年前

Isn't the BPF program has to be attached with root privilege? If so, the idea that to have per service is not enforceable anyway, right? As potential my filter can affect any other process running on the host.

ausjke超过 5 年前

what's the user case for this and how does this complements iptables? why do I need this?BPF is very interesting, I remember one thing is that it's of very small size and has no loops, but I don't understand its use case for firewall yet.

评论 #20845166 未加载

评论 #20843250 未加载

评论 #20843423 未加载

cat199超过 5 年前

sooo.. tcpwrappers?

skywhopper超过 5 年前

Compiling dynamically generated C programs on demand to provide packet filtering? It's clever but not in a good way. This is a really dangerous approach to solving this problem.

评论 #20839962 未加载

评论 #20839974 未加载

评论 #20840090 未加载

评论 #20839966 未加载

评论 #20841098 未加载

评论 #20839972 未加载

7 条评论

ldng超过 5 年前

评论 #20843817 未加载

评论 #20843081 未加载

评论 #20843053 未加载

评论 #20844146 未加载

arianvanp超过 5 年前

评论 #20840159 未加载

nailer超过 5 年前

评论 #20840800 未加载

justicezyx超过 5 年前

ausjke超过 5 年前

评论 #20845166 未加载

评论 #20843250 未加载

评论 #20843423 未加载

cat199超过 5 年前

sooo.. tcpwrappers?

skywhopper超过 5 年前

Compiling dynamically generated C programs on demand to provide packet filtering? It's clever but not in a good way. This is a really dangerous approach to solving this problem.

BPF port-based firewall for systemd services

7 条评论

BPF port-based firewall for systemd services

7 条评论