mirror of
https://github.com/linuxkit/linuxkit.git
synced 2026-04-04 20:59:21 +00:00
194a055d1c
CONFIG_BPFILTER is aimed to provide a replacement for netfilter. When CONFIG_BPFILTER is enabled, the kernel tries to contact a user mode helper for each iptable rule update. However the implementation of this helper has not been upstreamed yet. The communication thus fails and the kernel then falls back to netfilter. As a result, the rule update takes more than ten times the duration of the netfilter implementation alone. This has been reported by Docker Desktop users for whom it can take minutes to start a container sharing a few hundred ports. https://github.com/for-mac/issues/5668 More details on the situation is described in https://lwn.net/Articles/822744/. Signed-off-by: Frederic Dalleau <frederic.dalleau@docker.com>
See ../docs/kernels.md for more information on kernel builds.