tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]


On Thu, Aug 08, 2013 at 01:35:24AM +1000, Darren Reed wrote:
> A BPF program is an entity that can be verified as correct from a
> security perspective.It is also self contained and requires no
> external references in order to understand.

How is this relevant for the discussion?

> > It provides us a capability to offload more complex packet processing.
> > My primary user would be NPF in NetBSD, e.g. one of the operations is to
> > lookup an IP address in a table/ipset.
> Then add BPF instructions to manipulate address sets (add, remove, lookup)
> and pick a datastore to use to support it.

How is that more useful than the proposal?

The BPF design has some serious limitations for modern network
protocols. For example, the forward-jump-only property makes it
impossible to write rules for protocols with arbitrary header
composition. While it is not desirable to completely remove this
restriction, the proposal could help to deal with many of the
interesting case efficently.

> In doing that the benefits can thereafter be applied to other programs
> (such as tcpdump) that have a large list of entities that need to be
> matched against.

tcpdump would just as well use the BPF extensions provided here.


Home | Main Index | Thread Index | Old Index