svn commit: r243914 - projects/bpfjit

Aleksandr Rybalko ray at freebsd.org
Sat Dec 8 13:24:57 UTC 2012 

On Thu, 06 Dec 2012 13:10:56 -0500
Jung-uk Kim <jkim at FreeBSD.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 2012-12-06 03:49:36 -0500, Roman Divacky wrote:
> > Hi,
> > 
> > David Chisnall started bpf jitter based on llvm. You can check it
> > out here:
> > 
> > http://people.freebsd.org/~theraven/bpfjit/
> > 
> > 
> > It's based on the idea of jitting the code in userspace and
> > passing the resulting code to the kernel via some interface (this
> > part is not done yet).
> 
> Long time ago (about 10 years ago), I implemented something like that
> (i.e., compile BPF program to native machine code in userspace, then
> upload to kernel space) for my $job but I quickly replace it with
> BPF_JITTER for several reasons.  First of all, there is a big security
> risk.  A BPF filter program can be easily validated by kernel with
> bpf_validate(9).  We cannot do that for native machine code and we
> must not allow uploading arbitrary code to kernel space.  You may say
> it is well protected by /dev/bpf permissions but it is not good
> enough, i.e., all you need is read permission to inject code to kernel
> space.
> Second, LLVM is too heavy for BPF filter machine.  For example,

+1
Embedded FreeBSD will lost BPF if LLVM will be used for compilation :)

> libtrace did that long ago:
> 
> http://www.wand.net.nz/trac/libtrace/changeset/1586
> 
> Someone actually benchmarked it with other JIT implementations:
> 
> http://carnivore.it/2011/12/28/bpf_performance
> 
> LLVM compilation took too much time to be useful:
> 
> engine		filter cycles	compile cycles
> - ---------------+---------------+----------------
> jit-linux 	106468		33126+72796
> jit-freebsd 	113958		48292+72796
> llvm 		157394		380843640+72796
> pcap 		276910		72796
> linux	 	351391		9245+72796
> 
> I haven't tried theraven's implementation but I am afraid the result
> may be similar.  On top of that, it cannot be easily embedded in
> kernel.
> 
> BTW, NetBSD actually imported my BPF_JITTER first, then it was
> replaced by bpfjit:
> 
> http://mail-index.netbsd.org/tech-net/2012/08/19/msg003619.html
> http://mail-index.netbsd.org/source-changes/2012/10/27/msg038310.html
> 
> I wanted to try it out because I think it has great potential. ;-)
> 
> Jung-uk Kim
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.19 (FreeBSD)
> 
> iQEcBAEBAgAGBQJQwN+wAAoJECXpabHZMqHObcIH/0VN0ssRB9nNPwKq0WnxYZdO
> 7rnhymuYh8gRIGXkcHAu1ma/egJFk7tFTx37fm1q9iT/f+1TB2U5ZNi+6h9pnxSl
> W7U+yrEFvE4FkI6xnHq26amLTAQv3xdmNhB67M+glXj+emRuFfckgShnvgd4brRy
> ZJnaqJ3frCXld/1WG7dSmq1OIN4mT/7stw6BwwtzrkbdtcTQRgukNIFEyObMmReE
> RNligaB0l2Yj0S+6lI+6VQTyDc7NhSHMAUw32F385EuKYcJwkrj24eYxbCcWyP+g
> +9lGAYhLUOXUfM+7IISwdguWnQnIcpOxvo4I2shAglJYygnN+hSXZWn9IzTU5Gw=
> =4Ov6
> -----END PGP SIGNATURE-----


-- 
Aleksandr Rybalko <ray at freebsd.org>

More information about the svn-src-projects mailing list