so I just installed Tumbleweed 20180903 and noticed when I enabled firewalld it said:
hostname:~ # Started bpfilter
Is there any information around the internets about this?
I noticed it responds to regular firewall-cmd commands. Is it using bpfilter for the backend now with some sort of parser?
Note: I did install bcc-devel and bcc-tools on the machine in question. Would that have anything to do with it?
Also, (unrelated) I got forum this error when trying to search for ‘bpfilter’:
RESOLVED] Ongoing issues with paste.opensuse.org: The redirection isn’t working and comes up with an error ‘Disallowed Key Characters’. In the interim until this is fixed, please substitute with ‘susepaste.org’ if you come across a post using ‘paste.opensuse.org’.
Checking on Tumbleweed, I see that “firewalld” is still running, and “bpfilter” is the name of a kernel module.
While looking that up, I see that Deano has replied with more information on the topic.
As for that “RESOLVED” message – I don’t think it was supposed to be an error message. It is a forum notification, and unrelated to your search except that the notification appears on all forum pages unless you click the “X” to delete that notice.
Yeah, I’ve been very interested in bpf/bcc so that’s why I installed a copy of TW to see if there had been progress regarding the .ko in the 4.18.x kernel.
I’ve read those documents already, unfortunately, but thanks
If you have a copy of TW and you disable the systemd service and reboot, does it also echo the ‘started bpfilter’ on your machine? (I’ve noticed it only does it once per boot - and if it’s enabled as a service, if it even does echo it’ll probably get lost amongst the dmesg).
Or, I guess you could dmesg | grep bpfilter … (just thinking aloud…)
I’m not quite sure what you’re asking here. It is important to note that firewalld is a userspace management daemon, capable of working with ip_tables, nf_tables, or bpfilter (kernel packet filtering modules).
Another exciting feature is BPFILTER. (The name derives from Berkeley Packet Filter.) While starting out as a packet-filtering facility for other tools (e.g., tcpdump), BPFILTER is poised in 4.18 to eventually replace both iptables and nftables. It also extends the capabilities of Linux in several areas – network security, load balancing and performance monitoring – without impacting performance. In essence, BPFILTER represents something of a foundational shift for both networking and security.
In what is expected to be a very easy transition from the earlier technology BPFILTER will provide easy ways to translate iptables rules into its own rule format. It also provides flexibility with respect to where filtering rules are applied — maybe on the network interface itself — and ways to modernize and revitalize the network stack.
Has kernel 4.18 which is apparently when changes using bpfilter are first implemented
bpfilter is implemented as a firewalld “Helper” embedded in the kernel
In firewalld,conf, you have three possible Helper settings… On, Off and System (which is default)
Verified existence of bpfilter User modules (implemented as/distributed as kernel modules for convenience) by the command "locate bpfilter)
So, it seems that bpfilter is implemented as an optional programmatic way of configuring IPtables rules, which is probably also why firewalld.conf is configured to still use iptables instead of nftables (I don’t know how, or whether bpfilter might support nftables). You can still configure individual IPtables rules as before, but bpfilter is supposed to be a much more capable and flexible way of configuring complex rules.
All the above more or less is what you need to know that bpfilter exists and is available for use.
Then, the last step would be to verify it’s loaded and ready for use. Since it’s implemented as a kernel module and not a service (eg systemd Unit file), you can’t “service servicename” or “systemctl status servicename” but you can see it’s loaded as a kernel module on boot with the following (there are probably other ways)