Is Tumbleweed 20180903 using bpfilter in place of firewalld?


so I just installed Tumbleweed 20180903 and noticed when I enabled firewalld it said:

hostname:~ # Started bpfilter

Is there any information around the internets about this?

I noticed it responds to regular firewall-cmd commands. Is it using bpfilter for the backend now with some sort of parser?

Note: I did install bcc-devel and bcc-tools on the machine in question. Would that have anything to do with it?

Also, (unrelated) I got forum this error when trying to search for ‘bpfilter’:

RESOLVED] Ongoing issues with The redirection isn’t working and comes up with an error ‘Disallowed Key Characters’. In the interim until this is fixed, please substitute with ‘’ if you come across a post using ‘’.

FWIW, some news on the subject…

Checking on Tumbleweed, I see that “firewalld” is still running, and “bpfilter” is the name of a kernel module.

While looking that up, I see that Deano has replied with more information on the topic.

As for that “RESOLVED” message – I don’t think it was supposed to be an error message. It is a forum notification, and unrelated to your search except that the notification appears on all forum pages unless you click the “X” to delete that notice.

Yeah, I’ve been very interested in bpf/bcc so that’s why I installed a copy of TW to see if there had been progress regarding the .ko in the 4.18.x kernel.

I’ve read those documents already, unfortunately, but thanks

If you have a copy of TW and you disable the systemd service and reboot, does it also echo the ‘started bpfilter’ on your machine? (I’ve noticed it only does it once per boot - and if it’s enabled as a service, if it even does echo it’ll probably get lost amongst the dmesg).

Or, I guess you could dmesg | grep bpfilter … (just thinking aloud…)

What version of TW are you running?

Service manager is not showing a service for “bpfilter”.

I also checked:

# systemctl status bpfilter
Unit bpfilter.service could not be found.

From the “dmesg” output, I can see:

   34.292749] bpfilter: Loaded bpfilter_umh pid 1318

When I check process 1318, I get

root      1318     2  0 16:29 ?        00:00:00 [none]

The parent process (PID=2) shows as:

root         2     0  0 16:29 ?        00:00:00 [kthreadd]

I’m not quite sure what you’re asking here. It is important to note that firewalld is a userspace management daemon, capable of working with ip_tables, nf_tables, or bpfilter (kernel packet filtering modules).

Oh, I was thinking firewalld was another firewall package on its own

So it’s a management daemon that is controlling bpfilter by default in TW 20180903+?

Firewalld is the userspace daemon (and associated config utilities). The systemd service can be checked with

systemctl status firewalld

Also check /etc/firewalld/firewalld.conf for config options.

Googling man page… thanks :slight_smile:

Any information about BPF in relation to firewalld, though? AFAIK this is new and unique to OpenSUSE TW, have you heard about it anywhere else?

Only from what I’ve read re kernel 4.18 development…

Introducing BPFILTER

Another exciting feature is BPFILTER. (The name derives from Berkeley Packet Filter.) While starting out as a packet-filtering facility for other tools (e.g., tcpdump), BPFILTER is poised in 4.18 to eventually replace both iptables and nftables. It also extends the capabilities of Linux in several areas – network security, load balancing and performance monitoring – without impacting performance. In essence, BPFILTER represents something of a foundational shift for both networking and security.

In what is expected to be a very easy transition from the earlier technology BPFILTER will provide easy ways to translate iptables rules into its own rule format. It also provides flexibility with respect to where filtering rules are applied — maybe on the network interface itself — and ways to modernize and revitalize the network stack.

This is what I found on my existing TW…

  • Has kernel 4.18 which is apparently when changes using bpfilter are first implemented
  • bpfilter is implemented as a firewalld “Helper” embedded in the kernel
  • In firewalld,conf, you have three possible Helper settings… On, Off and System (which is default)
  • Verified existence of bpfilter User modules (implemented as/distributed as kernel modules for convenience) by the command "locate bpfilter)

So, it seems that bpfilter is implemented as an optional programmatic way of configuring IPtables rules, which is probably also why firewalld.conf is configured to still use iptables instead of nftables (I don’t know how, or whether bpfilter might support nftables). You can still configure individual IPtables rules as before, but bpfilter is supposed to be a much more capable and flexible way of configuring complex rules.

All the above more or less is what you need to know that bpfilter exists and is available for use.
Then, the last step would be to verify it’s loaded and ready for use. Since it’s implemented as a kernel module and not a service (eg systemd Unit file), you can’t “service servicename” or “systemctl status servicename” but you can see it’s loaded as a kernel module on boot with the following (there are probably other ways)

journalctl | grep 'bpfilter'