SOLVED When should Berkeley Packet Filtering be used?

[itskando]

I have a pair of jails which I set up with static IPs and VNET.

This site and this site mention enabling Berkeley Packet Filtering, but
I wasn't sure if there was a rule of thumb of whether to use it or when to use it.

From what I understand, it can improve performance, but
is vulnerable to a Spectre attack.
Should it just be largely avoided?

 

[Jailer]

Why do you think you need it?

 

[itskando]

Why do you think you need it?

Others enabled it (see example links provided),
they didn't mention why they enabled it, and
no one criticized their enable in the comments.

Others detailing their own personal jail parameters
did not mention enabling BPF
[edit: I'm wrong - they did], so
it's less that I think I need it and
it's more that I want to confirm what I think it does:

It improves connection performance,
likely with additional but negligible computation.

(The follow up becomes, if I updated my BIOS recently,
I think it was for Spectre protections; thus
should I care about the vulnerability?)

 

[8-bit Yoda]

The forum post you linked to is using dhcp. You need bpf when you use dhcp (I think iocage does that automatically, or gives you a message).

BTW: both the post you linked in the OP are from the same person (Chris Titus). Those instructions are recommending to use a static IP. I don't know that plex requires bpf, so you probably don't need it. You can try without.

 

[itskando]

The forum post you linked to is using dhcp.
You need bpf when you use dhcp (I think iocage does that automatically, or gives you a message).

Oops. Memory clearly isn't so great.

BTW: both the post you linked in the OP are from the same person (Chris Titus).

Oof. Double sorry.
I didn't think to side by side compare the texts.

I don't know that plex requires bpf, so
you probably don't need it.

Is it not a beneficial feature, but rather
something one enables only if one needs it?

And if that's the case and something DOES need it,
will that something objectively not work if BPF is disabled?

(Thus, don't enable BPF unless your static IP VNET isn't functioning and
you're just trying whatever at that point?)

You can try without.

Heheh, sorry - [yoda pic] plus [sagely advice] plus [sagely advice is to try] ; j

More seriously:

In the case of Plex, I believe that it is working without.
I wondered if there would be a notable improvement if I enabled it.

 

[Jailer]

Others enabled it (see example links provided),
they didn't mention why they enabled it, and
no one criticized their enable in the comments.

You've missed the point of the question entirely. If you don't know why you need it then you likely don't need it.

 

[itskando]

You've missed the point of the question entirely. If you don't know why you need it then you likely don't need it.

Ooo - I like that.
That's a good rule of thumb for BPF.

(I can't assume that off the bat though -
I didn't expect that for VNET or allow_raw_sockets for plex for example! : j )

 

[pschatz100]

Ooo - I like that.
That's a good rule of thumb for BPF.

(I can't assume that off the bat though -
I didn't expect that for VNET or allow_raw_sockets for plex for example! : j )

You don't need allow_raw_sockets for Plex...

 

[itskando]

You don't need allow_raw_sockets for Plex...

Noted. : j

 

[jgreco]

Is it not a beneficial feature, but rather
something one enables only if one needs it?

No, BPF is not a beneficial feature unless you happen to need it.

BPF typically works in conjunction with promiscuous ethernet mode to capture and filter traffic on the local network according to user-provided rules (user not necessarily being *YOU* but the application consuming the data). Normally your ethernet chipset does the heavy lifting of filtering out traffic not destined for the local host, but when you turn on promiscuous mode, the ethernet chipset gives the kernel everything it sees. This means your kernel ends up having to process traffic that might not be for it, and this is a real performance killer. However, it allows you to do things like sampling traffic flows, something you might need to do for traffic analysis or intrusion detection.

BPF can also be used without promiscuous ethernet mode, in which case it is just used to deliver traffic to a userland process that would otherwise be extremely difficult or impossible to intercept. A DHCP server would be an example of this.