svn commit: r243914 - projects/bpfjit

Jung-uk Kim jkim at FreeBSD.org
Thu Dec 6 18:12:00 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2012-12-06 03:49:36 -0500, Roman Divacky wrote:
> Hi,
> 
> David Chisnall started bpf jitter based on llvm. You can check it
> out here:
> 
> http://people.freebsd.org/~theraven/bpfjit/
> 
> 
> It's based on the idea of jitting the code in userspace and
> passing the resulting code to the kernel via some interface (this
> part is not done yet).

Long time ago (about 10 years ago), I implemented something like that
(i.e., compile BPF program to native machine code in userspace, then
upload to kernel space) for my $job but I quickly replace it with
BPF_JITTER for several reasons.  First of all, there is a big security
risk.  A BPF filter program can be easily validated by kernel with
bpf_validate(9).  We cannot do that for native machine code and we
must not allow uploading arbitrary code to kernel space.  You may say
it is well protected by /dev/bpf permissions but it is not good
enough, i.e., all you need is read permission to inject code to kernel
space.
Second, LLVM is too heavy for BPF filter machine.  For example,
libtrace did that long ago:

http://www.wand.net.nz/trac/libtrace/changeset/1586

Someone actually benchmarked it with other JIT implementations:

http://carnivore.it/2011/12/28/bpf_performance

LLVM compilation took too much time to be useful:

engine		filter cycles	compile cycles
- ---------------+---------------+----------------
jit-linux 	106468		33126+72796
jit-freebsd 	113958		48292+72796
llvm 		157394		380843640+72796
pcap 		276910		72796
linux	 	351391		9245+72796

I haven't tried theraven's implementation but I am afraid the result
may be similar.  On top of that, it cannot be easily embedded in kernel.

BTW, NetBSD actually imported my BPF_JITTER first, then it was
replaced by bpfjit:

http://mail-index.netbsd.org/tech-net/2012/08/19/msg003619.html
http://mail-index.netbsd.org/source-changes/2012/10/27/msg038310.html

I wanted to try it out because I think it has great potential. ;-)

Jung-uk Kim
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iQEcBAEBAgAGBQJQwN+wAAoJECXpabHZMqHObcIH/0VN0ssRB9nNPwKq0WnxYZdO
7rnhymuYh8gRIGXkcHAu1ma/egJFk7tFTx37fm1q9iT/f+1TB2U5ZNi+6h9pnxSl
W7U+yrEFvE4FkI6xnHq26amLTAQv3xdmNhB67M+glXj+emRuFfckgShnvgd4brRy
ZJnaqJ3frCXld/1WG7dSmq1OIN4mT/7stw6BwwtzrkbdtcTQRgukNIFEyObMmReE
RNligaB0l2Yj0S+6lI+6VQTyDc7NhSHMAUw32F385EuKYcJwkrj24eYxbCcWyP+g
+9lGAYhLUOXUfM+7IISwdguWnQnIcpOxvo4I2shAglJYygnN+hSXZWn9IzTU5Gw=
=4Ov6
-----END PGP SIGNATURE-----

More information about the svn-src-projects mailing list