Comment by Jakson_Tate

7 days ago

cool to see eBPF used for a desktop firewall instead of just ddos packet dropping. the note about bpf map overflows is super relatable, dealing with that on bare-metal is a pain.

my question is... if the tracking maps fill up completely, does the daemon fail-open or fail-closed?

2 comments

Jakson_Tate

Reply
littlesnitch  7 days ago

There is currently no treatment of errors because I would not know how to handle them anyway. There are two tables which can overflow affecting the filter: the table of open flows and the table of recent DNS lookups. The table of flows just fills up, meaning that we cannot store state about new flows. Without state, we can't attribute a process to them and end up evaluating rules on each packet. I guess that blocklists would still work, but more specific rules would not be applied (and the default decision would be taken, whatever you have configured).

The DNS lookups, on the other hand, are LRU. If the table overflows too soon, we won't be able to derive names for IP addresses and name-based rules would fail.

  • Jakson_Tate  7 days ago

    gotcha... makes total sense. LRU for the DNS map is definitely the right call for a desktop setup. and falling back to the user's default policy is smart so you don't randomly brick their internet if an app goes crazy.

    really appreciate the honest answer, man. awesome work on this...!