I'm interested in learning eBPF and using that to firewall in Proxmox. Is this rabbit hole possible? I'm only planning VMs. AI suggests CTs would be a problem.
Can I Use eBPF to Firewall?
- Thread starter Stereoscope
- Start date
On a Proxmox VE to use eBPF to filter network traffic, it would be totally independent from Proxmox VE configuration interface as this uses iptables or nftables. So all rules would be required to get created somewhere outside. In addition, there would be the need to write some own programs in C (libbpf) or Rust (aya) as there is no frontend available yet on Debian. Meaning: No declarative rule interface, there's no equivalent of write rules in a config file and a daemon applies them.
Is this really, what you want?
Is this really, what you want?
Why not virtualize that idea?
Create some VMs. Choose a "simple" OS without many bells and whistles. Update them and install relevant software - while being connected to the "normal" LAN. Make snapshots/backups. Setup some bridges without a hardware NIC assigned. Connect the NIC (more than one on the router to be) of those VMs into these isolated networks. Make snapshots/backups again ;-) Start experimenting with eBPF and have fun
The very first step is to draw a clean and structured network diagram. Stay as simple as possible, the topic is complicated enough in itself.
From my point of view that should work and it removes any risk / interference with the host.
(( For such complex experiments I have a complete functional PVE cluster on a single beefy PVE node - virtual! Eliminating any risk is really great
))