diff --git a/src/basic/bpf-program.c b/src/basic/bpf-program.c
index 9326176743..ce6f9e4409 100644
--- a/src/basic/bpf-program.c
+++ b/src/basic/bpf-program.c
@@ -91,7 +91,7 @@ int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size) {
         return 0;
 }
 
-int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path) {
+int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags) {
         _cleanup_close_ int fd = -1;
         union bpf_attr attr;
 
@@ -107,6 +107,7 @@ int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path) {
                 .attach_type = type,
                 .target_fd = fd,
                 .attach_bpf_fd = p->kernel_fd,
+                .attach_flags = flags,
         };
 
         if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0)
diff --git a/src/basic/bpf-program.h b/src/basic/bpf-program.h
index 0dd150b60a..35a41ffc44 100644
--- a/src/basic/bpf-program.h
+++ b/src/basic/bpf-program.h
@@ -45,7 +45,7 @@ BPFProgram *bpf_program_unref(BPFProgram *p);
 int bpf_program_add_instructions(BPFProgram *p, const struct bpf_insn *insn, size_t count);
 int bpf_program_load_kernel(BPFProgram *p, char *log_buf, size_t log_size);
 
-int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path);
+int bpf_program_cgroup_attach(BPFProgram *p, int type, const char *path, uint32_t flags);
 int bpf_program_cgroup_detach(int type, const char *path);
 
 int bpf_map_new(enum bpf_map_type type, size_t key_size, size_t value_size, size_t max_entries, uint32_t flags);
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
index 732c36fc1a..909c1c8253 100644
--- a/src/core/bpf-firewall.c
+++ b/src/core/bpf-firewall.c
@@ -539,10 +539,18 @@ int bpf_firewall_compile(Unit *u) {
 
 int bpf_firewall_install(Unit *u) {
         _cleanup_free_ char *path = NULL;
+        CGroupContext *cc;
         int r;
 
         assert(u);
 
+        if (!u->cgroup_path)
+                return -EINVAL;
+
+        cc = unit_get_cgroup_context(u);
+        if (!cc)
+                return -EINVAL;
+
         r = bpf_firewall_supported();
         if (r < 0)
                 return r;
@@ -560,7 +568,7 @@ int bpf_firewall_install(Unit *u) {
                 if (r < 0)
                         return log_error_errno(r, "Kernel upload of egress BPF program failed: %m");
 
-                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path);
+                r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, cc->delegate ? BPF_F_ALLOW_OVERRIDE : 0);
                 if (r < 0)
                         return log_error_errno(r, "Attaching egress BPF program to cgroup %s failed: %m", path);
         } else {
@@ -575,7 +583,7 @@ int bpf_firewall_install(Unit *u) {
                 if (r < 0)
                         return log_error_errno(r, "Kernel upload of ingress BPF program failed: %m");
 
-                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path);
+                r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, cc->delegate ? BPF_F_ALLOW_OVERRIDE : 0);
                 if (r < 0)
                         return log_error_errno(r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
         } else {