Systemd Now Allows Custom BPF Programs To Be Loaded On Cgroups - Phoronix

Articles & Reviews
News Archive
Forums
Premium
Categories

Computers GPUs / Graphics Cards Linux Gaming Memory Motherboards CPUs / Processors Software Storage Operating Systems Peripherals

Systemd Now Allows Custom BPF Programs To Be Loaded On Cgroups

Written by Michael Larabel in systemd on 29 June 2019 at 07:11 AM EDT. 36 Comments

SYSTEMD --

Systemd now allows loading of custom BPF programs for network traffic filtering that are applied to all sockets created by processes of a given systemd unit.

The motivation for this stems from a feature plan drawn up last year for having systemd install BPF (Berkeley Packet Filter) programs into cgroups. The benefit of this is associating a BPF program for IP filtering with a unit file so systemd can install them once a cgroup is setup.

With the systemd code as of this week, there are now the IPIngressFilterPath and IPEgressFilterPath options so that systemd units can specify a BPF pinned program as an argument. Multiple BPF programs can be specified and apply to all IP packets sent/received under the INET/INET6 sockets created by processes of the unit, in addition to any other filters of the system.

More details in this commit. This change will be in the upcoming systemd 243 release.

36 Comments

Related News

systemd 249-rc2 Released With New "ConditionOSRelease" Directive

Systemd 249-rc1 Released With Many New Features

Systemd 248 Released With System Extension Images Feature, More TPM2/FIDO2 Integration

Dbus-Broker 28 Released

systemd 248 RC3 Released With Extension Images Support, New Security Capabilities

systemd 248 RC1 Released With New "System Extension Images" Concept

About The Author

Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week

Google Wants To See Rust Code In The Linux Kernel, Contracts The Main Developer

Linux 5.13 Lands More Fixes To The Mucked Up FPU/XSTATE Handling Mess

OpenSSL 3.0 Release Candidate Arrives With Big Changes

NVIDIA Posts 470 Linux Driver Beta With Better Wayland Support, DLSS + Improved PRIME

Proton 6.3-5 RC Allows More Windows Games To Run On Linux

RADV Open-Source Radeon Vulkan Driver Begins Landing Ray-Tracing Changes

Surface Suspension Protocol Proposed For Wayland

LibreOffice 7.2 Beta Arrives With Initial Command Pop-Up HUD, Better Performance