RSS

Linux 7.0 Adds Support for BPF Filtering to IO_uring

teleforce1 pts0 comments

Linux 7.0 Adds support For BPF Filtering To IO_uring - Phoronix

Articles & Reviews

News Archive

Forums

Premium Ad-Free<br>Contact

Popular Categories

Close

Articles & Reviews

News Archive

Forums

Premium

Contact

Categories

Computers Display Drivers Graphics Cards Linux Gaming Memory Motherboards Processors Software Storage Operating Systems Peripherals

Linux 7.0 Adds support For BPF Filtering To IO_uring

Written by Michael Larabel in Linux Kernel on 10 February 2026 at 08:09 AM EST. 2 Comments

The wonderful IO_uring for the Linux kernel for high performance asnyc I/O has picked up a new capability with Linux 7.0: BPF filtering.

Linux I/O expert Jens Axboe implemented support for loading BPF programs with IO_uring for offering fine-grained filtering of SQE operations. This BPF filtering for IO_uring can inspect request attributes and make dynamic filtering decisions compared to existing facilities for filtering. Filters can allow or deny requests, allow multiple filters to be stacked per opcode and is done using classic BPF programs rather than eBPF programs to allow for container uses.<br>"This adds support for both cBPF filters for io_uring, as well as task inherited restrictions and filters.

seccomp and io_uring don't play along nicely, as most of the interesting data to filter on resides somewhat out-of-band, in the submission queue ring.

As a result, things like containers and systemd that apply seccomp filters, can't filter io_uring operations.

That leaves them with just one choice if filtering is critical - filter the actual io_uring_setup(2) system call to simply disallow io_uring. That's rather unfortunate, and has limited us because of it.

io_uring already has some filtering support. It requires the ring to be setup in a disabled state, and then a filter set can be applied. This filter set is completely bi-modal - an opcode is either enabled or it's not. Once a filter set is registered, the ring can be enabled. This is very restrictive, and it's not useful at all to systemd or containers which really want both broader and more specific control.

This first adds support for cBPF filters for opcodes, which enables tighter control over what exactly a specific opcode may do. As examples, specific support is added for IORING_OP_OPENAT/OPENAT2, allowing filtering on resolve flags. And another example is added for IORING_OP_SOCKET, allowing filtering on domain/type/protocol. These are both common use cases. cBPF was chosen rather than eBPF, because the latter is often restricted in containers as well."

This merge yesterday to Linux 7.0 landed the IO_uring BPF filtering capabilities.

2 Comments

Tweet

Cache Aware Scheduling Merged For Linux 7.2 For Boosting Modern Intel & AMD CPUs<br>Linux 7.2 Introducing The Rust Zerocopy Library To Eliminate More "Unsafe" Code<br>Linux 7.2 To Raise LLVM/Clang Compiler Requirement, Add Support For Distributed ThinLTO<br>Linux 7.1 Released: New NTFS Driver, Intel FRED For Panther Lake, Faster Arc Graphics<br>Linux 7.2 Features Expected: Apple M3, Initial AMDGPU HDMI 2.1 FRL, USB4STREAM, Cache Aware Scheduling<br>The Best Features Of Linux 7.1: FRED, New NTFS Driver & More Performance

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

ReactOS "Open-Source Windows" Reaches The Milestone Of Being Able To Run Half-Life<br>Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages<br>macOS 27 Beta Breaks The Ability To Boot Asahi Linux<br>Arch Linux's AUR Sees More Than 400 Packages Compromised With Malware<br>Arch Linux AUR Hit By Another Wave Of Now More Sophisticated Malware Attack<br>Firefox Merges Support For Vulkan Video Decoding<br>YSERVER: Modern X11 Server Written In Rust With The Help Of Claude Code<br>GNOME File Previewer Finally Switches To GTK4, Adds Dark Mode

Firefox 152 Now Available With JPEG-XL Support Built By Default, Modernized Settings UI

Reading /proc/filesystems Is Surprisingly Done Very Often & Now As Much As 444% Faster

Framework Computer Making Progress On Coreboot For Their Modern Intel-Powered Laptops

Cache Aware Scheduling Merged For Linux 7.2 For Boosting Modern Intel & AMD CPUs

Linux 7.2 Introducing The Rust Zerocopy Library To Eliminate More "Unsafe" Code

Linux 7.2 To Better Communicate File-System Casefolding For Helping Windows NFS & More

GNU Linux-libre 7.1-gnu Released With More Driver Deblobbing, Unhappy With i486 Removal

Linux 7.2 To Raise LLVM/Clang Compiler Requirement, Add Support For Distributed ThinLTO

Linux 7.1 Released: New NTFS Driver, Intel FRED For Panther Lake,...

linux support filtering io_uring adds filters

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.