Should the BPF JIT compiler be disabled?

madaidan · November 8, 2019, 9:06pm

JIT compilers can be used to increase performance but they are vulnerable to a bunch of attacks and can even be used to help exploiting Spectre. They aren’t really needed on desktop computers.

It probably doesn’t need to be disabled though as we already harden it and restrict it to root.

HulaHoop · November 10, 2019, 1:44pm

In principle yes, however we need to be sure that nftables isn’t using it. Nftables relies on BPF kernel infrastructure. We need to see if there is a difference between BPF and the JIT compiler.

madaidan · November 10, 2019, 2:16pm

BPF isn’t just a JIT compiler. Far more things uses BPF than just the JIT compiler. Disabling the JIT compiler shouldn’t disable all BPF-related things.

nftables probably just uses the BPF JIT compiler as a performance optimization.

HulaHoop · November 11, 2019, 4:37pm

Good, but please provide source

madaidan · November 11, 2019, 5:17pm

Just a guess. The JIT compiler was only created for performance gains. I doubt nftables would rely on it for anything other than that.

SashaGoldman · April 18, 2025, 4:59am

Tried building and installing a kernel 6.1.133 (sourced from Debian) without BPF JIT and firewalld’s basic functions (port deny, port allow) is still good. Firewalld defaults to nftables backend so I guess it proves that BPF JIT’s existence is not critical to netfilter/nftables’ functionality?

Custom kernel’s config (JIT related part)

user@debian:~/dev-unbpfjit/linux-6.1.133$ uname -a
Linux debian 6.1.133-unbpfjit #4 SMP PREEMPT_DYNAMIC Fri Apr 18 03:08:04 UTC 2025 x86_64 GNU/Linux
user@debian:~/dev-unbpfjit/linux-6.1.133$ grep BPF .config
CONFIG_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
# BPF subsystem
CONFIG_BPF_SYSCALL=y
# CONFIG_BPF_JIT is not set
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# end of BPF subsystem
CONFIG_CGROUP_BPF=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
# CONFIG_BPFILTER is not set
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_STREAM_PARSER=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_BPF_EVENTS=y
CONFIG_TEST_BPF=m
user@debian:~/dev-unbpfjit/linux-6.1.133$ grep JIT .config
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
# CONFIG_BPF_JIT is not set
CONFIG_FUJITSU_ES=m
CONFIG_TOUCHSCREEN_FUJITSU=m
CONFIG_TOUCHSCREEN_USB_PANJIT=y
CONFIG_FUJITSU_LAPTOP=m
CONFIG_FUJITSU_TABLET=m
CONFIG_CRYPTO_JITTERENTROPY=m