The daemon¶
The bpfilter daemon is responsible for creating the BPF program corresponding to the user-provided filtering rules. The daemon will also load and manage the BPF programs on the system.
It is possible to customize the daemon’s behavior using the following command-line flags:
-t,--transient: if used,bpfilterwon’t pin any BPF program or map, and no data will be serialized to the filesystem. Hence, as soon as the daemon is stopped, the loaded BPF programs and maps will be removed from the system.--no-cli: disablebfclisupport.--no-nftables: disablenftablessupport.--no-iptables: disableiptablessupport.-b,--buffer-len=BUF_LEN_POW: size of theBPF_PROG_LOADbuffer as a power of 2. Only available if--verboseis used.BPF_PROG_LOADsystem call can be provided a buffer for the BPF verifier to provide details in case the program can’t be loaded. The required size for the buffer being hardly predictable, this option allows for the user to control it. The final buffer will have a size of1 << BUF_LEN_POWER.-v=VERBOSE_FLAG,--verbose=VERBOSE_FLAG: enable verbose logs forVERBOSE_FLAG. Currently, 3 verbose flags are supported:debug: enable all the debug logs in the application.bpf: insert log messages into the BPF programs to log failed kernel function calls. Those messages can be printed withbpftool prog tracelogorcat /sys/kernel/debug/tracing/trace_pipe.bytecode: dump a program’s bytecode before loading it.
--usage: print a short usage message.-?,--help: print the help message.
Runtime data¶
bpfilter runtime data is located in two different directories:
/run/bpfilter: runtime context. Contains the socket used to communicate with the daemon, and the serialized data (except in--transientmode)./sys/fs/bpf/bpfilter: directory used to pin the BPF objects (except in--transientmode) so they persist across restarts of the daemon.
Warning
If bpfilter fails to restore its state after restarting, its data can be cleanup up by removing both those directories. Doing so will remove all your filtering rules.