Systemd logging bpf-firewall errors

Help
1

Hello, I’m setting up a new VPS here and notice these bpf-firewall errors being logged for many (most?) systemd units on my NixOS unstable install. I’m trying to migrate a system from Hetzner Cloud and do not see the same errors there.

I’m posting this here because I guess it’s some curiosity with the container and cgroup setup here, given that I’ve never seen it on another NixOS machine and can’t find any relevant info searching the web.

I am using the vpsadminos flake as an input to the system configuration.

journalctl -b --grep bpf-firewall --no-pager --no-hostname --output short-iso

2026-02-25T12:00:07+01:00 systemd[1]: logrotate.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/logrotate.service failed: Invalid argument
2026-02-25T12:01:53+01:00 systemd[1]: user-0.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice failed: Invalid argument
2026-02-25T12:01:53+01:00 systemd[1]: user.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice failed: Invalid argument
2026-02-25T12:01:53+01:00 systemd[1]: user-runtime-dir@0.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/user-runtime-dir@0.service failed: Invalid argument
2026-02-25T12:01:53+01:00 systemd[1]: user-0.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice failed: Invalid argument
2026-02-25T13:00:00+01:00 systemd[1]: logrotate.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/logrotate.service failed: Invalid argument
2026-02-25T14:00:01+01:00 systemd[1]: logrotate.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/logrotate.service failed: Invalid argument
2026-02-25T15:00:06+01:00 systemd[1]: logrotate.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/logrotate.service failed: Invalid argument
2026-02-25T16:00:02+01:00 systemd[1]: logrotate.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/logrotate.service failed: Invalid argument
2026-02-25T17:00:02+01:00 systemd[1]: logrotate.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/logrotate.service failed: Invalid argument
2026-02-25T17:56:46+01:00 systemd[1]: user.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice failed: Invalid argument
2026-02-25T17:56:46+01:00 systemd[1]: user-0.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice failed: Invalid argument
2026-02-25T17:56:46+01:00 systemd[1]: user-runtime-dir@0.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/user-runtime-dir@0.service failed: Invalid argument
2026-02-25T17:56:46+01:00 systemd[1]: user@0.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/user@0.service failed: Invalid argument
2026-02-25T17:56:46+01:00 systemd[1]: session-c26.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/session-c26.scope failed: Invalid argument
2026-02-25T18:00:00+01:00 systemd[1]: logrotate.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/logrotate.service failed: Invalid argument
2026-02-25T18:10:02+01:00 systemd[1]: session-c28.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/session-c28.scope failed: Invalid argument
2026-02-25T18:10:10+01:00 systemd[1]: nixos-rebuild-switch-to-configuration.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/nixos-rebuild-switch-to-configuration.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: init.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/init.scope failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: systemd-logind.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-logind.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: session-c28.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/session-c28.scope failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: user-0.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: container-getty@2.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice/container-getty@2.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: system-getty.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-getty.slice failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: session-c26.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/session-c26.scope failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: systemd-journald.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-journald.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: system-modprobe.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-modprobe.slice failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: laminar.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/laminar.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: systemd-resolved.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-resolved.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: container-getty@3.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice/container-getty@3.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: sshguard.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/sshguard.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: systemd-udevd.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-udevd.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: container-getty@4.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice/container-getty@4.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: nixos-rebuild-switch-to-configuration.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/nixos-rebuild-switch-to-configuration.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: container-getty@1.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice/container-getty@1.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: caddy.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/caddy.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: searchix.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/searchix.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: console-getty.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/console-getty.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: nscd.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/nscd.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: user.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: system-container\x2dgetty.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: nix-daemon.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/nix-daemon.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: -.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: syncthing.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/syncthing.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: gitea-runner-codeberg.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/gitea-runner-codeberg.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: tailscaled.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/tailscaled.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: systemd-networkd.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-networkd.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: user@0.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/user@0.service failed: Invalid argument
2026-02-25T18:10:11+01:00 systemd[1]: sshd.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/sshd.service failed: Invalid argument
2026-02-25T18:10:12+01:00 systemd[1]: system.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice failed: Invalid argument
2026-02-25T18:10:12+01:00 systemd[1]: podman.socket: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/podman.socket failed: Invalid argument
2026-02-25T18:10:12+01:00 systemd[1]: dbus.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/dbus.service failed: Invalid argument
2026-02-25T18:10:12+01:00 systemd[1]: run-wrappers.mount: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/run-wrappers.mount failed: Invalid argument
2026-02-25T18:10:12+01:00 systemd[1]: linger-users.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/linger-users.service failed: Invalid argument
2026-02-25T18:10:12+01:00 systemd[1]: tailscaled-set.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/tailscaled-set.service failed: Invalid argument
2026-02-25T18:10:12+01:00 systemd[1]: suid-sgid-wrappers.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/suid-sgid-wrappers.service failed: Invalid argument
2026-02-25T18:16:36+01:00 systemd[1]: session-c29.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/session-c29.scope failed: Invalid argument
2026-02-25T18:16:44+01:00 systemd[1]: nixos-rebuild-switch-to-configuration.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/nixos-rebuild-switch-to-configuration.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: init.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/init.scope failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: systemd-logind.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-logind.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: user-0.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: container-getty@2.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice/container-getty@2.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: system-getty.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-getty.slice failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: session-c29.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/session-c29.scope failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: session-c26.scope: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/session-c26.scope failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: systemd-journald.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-journald.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: system-modprobe.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-modprobe.slice failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: laminar.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/laminar.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: systemd-resolved.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-resolved.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: container-getty@3.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice/container-getty@3.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: sshguard.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/sshguard.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: systemd-udevd.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-udevd.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: container-getty@4.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice/container-getty@4.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: nixos-rebuild-switch-to-configuration.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/nixos-rebuild-switch-to-configuration.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: container-getty@1.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice/container-getty@1.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: caddy.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/caddy.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: searchix.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/searchix.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: console-getty.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/console-getty.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: nscd.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/nscd.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: user.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: system-container\x2dgetty.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/system-container\x2dgetty.slice failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: nix-daemon.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/nix-daemon.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: -.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: syncthing.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/syncthing.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: gitea-runner-codeberg.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/gitea-runner-codeberg.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: tailscaled.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/tailscaled.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: systemd-networkd.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/systemd-networkd.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: user@0.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/user.slice/user-0.slice/user@0.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: sshd.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/sshd.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: system.slice: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: podman.socket: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/podman.socket failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: dbus.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/dbus.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: run-wrappers.mount: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/run-wrappers.mount failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: linger-users.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/linger-users.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: tailscaled-set.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/tailscaled-set.service failed: Invalid argument
2026-02-25T18:16:46+01:00 systemd[1]: suid-sgid-wrappers.service: bpf-firewall: Attaching egress BPF program to cgroup /sys/fs/cgroup/system.slice/suid-sgid-wrappers.service failed: Invalid argument
2

Our VPS are Linux containers with user namespace. BPF is not allowed from within user namespaces, hence these warnings. I’ve investigated this in the past and I suppose it’s still the same situation.

3

Anything I can do to turn them off?

4

It seems that systemd’s check somehow passes inside the container and it doesn’t break the BPF circuitry.

Also, there was a change change with systemd v258. What is your systemd version?

5

v258.3, strangely enough, which seems as though it’s supposed to have that change.