Muntashir AkonSeptember'25 updates: https://muntashirakon.github.io/blog/2025/10/18/september-updates/
In this update, I talked about #android integration of #eBPF and its potential impact on #firewalls along with a possible solution.
TL;DR From Android 13, you have the ability to block networking for a UID using BPF:
cmd connectivity set-package-networking-enabled [true|false] [package-name]
For the firewall to work, you may need to enable chain3:
cmd connectivity set-chain3-enabled true
The drawback is it gets reset on reboot.
MichaelZ@muntashir Did I understand correctly that bpf is parallel to iptables and vpn? So filtering/blocking using those two 'old' techniques is not sufficient?
Is it possible to list the bpf enable/disable entries?
Wouldn't it be easier to have a Magisk/KSU/APatch module to configure bpf on boot than using WiFi-ADB?
@MichaelZ eBPF is more powerful than IP tables or VPN as it supports a wide set of rules and done at the kernel level. It’s also very efficient at filtering packets than IP tables or VPN. Since the filtering is done before the packet can be processed by IP tables or VPN, vendor/OEM can choose to bypass the latter methods by modifying the BPF rules at /sys/fs/bpf.
You can list some of the rules by inspecting the output of `dumpsys connectivity trafficcontrolller` (look for sUidOwnerMap). If you have root, you can browse the complete list of rules by inspecting the files at /sys/fs/bpf.
Yes, you can create a startup script with Magisk to replace those rules. The rules are loaded very early in the boot process. So, you need to load/replace them accordingly. Note that BPF supports a wide set of rules than what is available via the Android framework APIs. So, adding/replacing your own rules at /sys/fs/bpf may be more effective.