Overview

bpfilter is a framework to convert packet filtering rules into BPF programs.

When bpfilter is started, the daemon will check if /run/bpfilter exists, if it doesn’t, the daemon will try to create it. The content of this directory depends on which mode bpfilter has been started in: standard or transient.

In standard mode, the BPF packet filtering programs generated by bpfilter will remain on the system when the daemon is stopped. The daemon can be restarted without affecting the packet filtering. /run/bpfilter will contain the daemon’s socket file and the daemon’s serialized runtime context. When the daemon is started, it will try to restore its runtime context from /run/bpfilter, if available. If there is no serialized runtime context on the disk, a new empty context will be created. If bpfilter fails to restore the serialized runtime context, the daemon will print an error message and return.

In transient mode (--transient), bpfilter will ensure any BPF program, map, or object it has created is destroyed before the daemon is stopped. This means bpfilter won’t filter any network packet once it’s stopped. /run/bpfilter will only contain the daemon’s socket file.