Re: BPF_MISC+BPF_COP and BPF_COPX

To: tech-net%netbsd.org@localhost
Subject: Re: BPF_MISC+BPF_COP and BPF_COPX
From: Joerg Sonnenberger <joerg%britannica.bec.de@localhost>
Date: Wed, 7 Aug 2013 21:18:49 +0200

On Thu, Aug 08, 2013 at 01:35:24AM +1000, Darren Reed wrote:
> A BPF program is an entity that can be verified as correct from a
> security perspective.It is also self contained and requires no
> external references in order to understand.

How is this relevant for the discussion?

> > It provides us a capability to offload more complex packet processing.
> > My primary user would be NPF in NetBSD, e.g. one of the operations is to
> > lookup an IP address in a table/ipset.
> 
> Then add BPF instructions to manipulate address sets (add, remove, lookup)
> and pick a datastore to use to support it.

How is that more useful than the proposal?

The BPF design has some serious limitations for modern network
protocols. For example, the forward-jump-only property makes it
impossible to write rules for protocols with arbitrary header
composition. While it is not desirable to completely remove this
restriction, the proposal could help to deal with many of the
interesting case efficently.

> In doing that the benefits can thereafter be applied to other programs
> (such as tcpdump) that have a large list of entities that need to be
> matched against.

tcpdump would just as well use the BPF extensions provided here.

Joerg

References:
- BPF_MISC+BPF_COP and BPF_COPX
  - From: Mindaugas Rasiukevicius
- Re: BPF_MISC+BPF_COP and BPF_COPX
  - From: Darren Reed

Prev by Date: Re: BPF_MISC+BPF_COP and BPF_COPX
Next by Date: Re: BPF_MISC+BPF_COP and BPF_COPX
Previous by Thread: Re: BPF_MISC+BPF_COP and BPF_COPX
Next by Thread: Re: BPF_MISC+BPF_COP and BPF_COPX (summary and patch)
Indexes:

Home | Main Index | Thread Index | Old Index