Effectively, not a lot. eBPF does have the capabilities to do more than a regular firewall, but this just seems to do an IP lookup in a blacklist file.
If you buy a fancy network card from a company like Nvidia, you could run the eBPF program on the card itself and the kernel wouldn't even see the packet come in. This use case doesn't seem like it'd need that kind of performance tweak, though.
It's useful as a fun project to experiment with eBPF, though!
Do you have a model number for an Nvidia offload card? I thought that only Netronome did them and that they were kinda long in the tooth now. I’d love to get my hands on one.
It's one program that blocks everything everywhere, and doesn't rely on specific firewall configurations or DNS resolvers to be able to block requests.
And because it uses eBPF, technically (it probably doesn't support this yet but it could) you could block requests at the application level, even if it uses TLS, before it ever even gets to a resolver or firewall.
Taking that fact even further, this means that not only well-behaved resolv.conf-reading applications are blocked, but programs that use their own DoH/DoT could be as well. Your browser wouldn't even need an ad-blocker extension. Your local resolver and your VPN-specific resolver both continue to work normally while also blocking what you want.
jeroenhd|8 months ago
If you buy a fancy network card from a company like Nvidia, you could run the eBPF program on the card itself and the kernel wouldn't even see the packet come in. This use case doesn't seem like it'd need that kind of performance tweak, though.
It's useful as a fun project to experiment with eBPF, though!
blipvert|8 months ago
ranger_danger|8 months ago
And because it uses eBPF, technically (it probably doesn't support this yet but it could) you could block requests at the application level, even if it uses TLS, before it ever even gets to a resolver or firewall.
Taking that fact even further, this means that not only well-behaved resolv.conf-reading applications are blocked, but programs that use their own DoH/DoT could be as well. Your browser wouldn't even need an ad-blocker extension. Your local resolver and your VPN-specific resolver both continue to work normally while also blocking what you want.
benreesman|8 months ago
No means no, my computer my choice. sudo build a real product.
unknown|8 months ago
[deleted]