tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: BPF_MISC+BPF_COP and BPF_COPX



On 5/08/2013 5:12 AM, Mindaugas Rasiukevicius wrote:
> Hello,
>
> I would like propose new BPF instructions for the misc category: BPF_COP
> and BPF_COPX.  It would provide a capability of calling an external
> function - think of BPF "coprocessor".

No.

A BPF program is an entity that can be verified as correct from a
security perspective.It is also self contained and requires no
external references in order to understand.

This change brakes the BPF security model because now the BPF program
is calling out to some random function as part of the packet matching.

> It provides us a capability to offload more complex packet processing.
> My primary user would be NPF in NetBSD, e.g. one of the operations is to
> lookup an IP address in a table/ipset.

Then add BPF instructions to manipulate address sets (add, remove, lookup)
and pick a datastore to use to support it.

In doing that the benefits can thereafter be applied to other programs
(such as tcpdump) that have a large list of entities that need to be
matched against.

Darren



Home | Main Index | Thread Index | Old Index