(In reply to - - from comment #61) > After a little research I found that it can be anything that calls > `(set|get)sockopt`. Thanks for digging that up. More precisely, getsockopt() or setsockopt() with level == IPPROTO_IP and optname supported by bpfilter (https://elixir.bootlin.com/linux/v5.0-rc4/source/include/uapi/linux/bpfilter.h) automagically loads the bpfilter module and starts the UMH. This happens when iptables initializes itself: it calls getsockopt(IPPROTO_IP, IPT_SO_GET_INFO), and IPT_SO_GET_INFO has the same value as BPFILTER_IPT_SO_GET_INFO (=64).