Date: Thu, 06 Dec 2012 13:10:56 -0500 From: Jung-uk Kim <jkim@FreeBSD.org> To: Roman Divacky <rdivacky@freebsd.org> Cc: svn-src-projects@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r243914 - projects/bpfjit Message-ID: <50C0DFB0.6030007@FreeBSD.org> In-Reply-To: <20121206084936.GA58940@freebsd.org> References: <201212052312.qB5NC2Hn056351@svn.freebsd.org> <20121206084936.GA58940@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2012-12-06 03:49:36 -0500, Roman Divacky wrote: > Hi, > > David Chisnall started bpf jitter based on llvm. You can check it > out here: > > http://people.freebsd.org/~theraven/bpfjit/ > > > It's based on the idea of jitting the code in userspace and > passing the resulting code to the kernel via some interface (this > part is not done yet). Long time ago (about 10 years ago), I implemented something like that (i.e., compile BPF program to native machine code in userspace, then upload to kernel space) for my $job but I quickly replace it with BPF_JITTER for several reasons. First of all, there is a big security risk. A BPF filter program can be easily validated by kernel with bpf_validate(9). We cannot do that for native machine code and we must not allow uploading arbitrary code to kernel space. You may say it is well protected by /dev/bpf permissions but it is not good enough, i.e., all you need is read permission to inject code to kernel space. Second, LLVM is too heavy for BPF filter machine. For example, libtrace did that long ago: http://www.wand.net.nz/trac/libtrace/changeset/1586 Someone actually benchmarked it with other JIT implementations: http://carnivore.it/2011/12/28/bpf_performance LLVM compilation took too much time to be useful: engine filter cycles compile cycles - ---------------+---------------+---------------- jit-linux 106468 33126+72796 jit-freebsd 113958 48292+72796 llvm 157394 380843640+72796 pcap 276910 72796 linux 351391 9245+72796 I haven't tried theraven's implementation but I am afraid the result may be similar. On top of that, it cannot be easily embedded in kernel. BTW, NetBSD actually imported my BPF_JITTER first, then it was replaced by bpfjit: http://mail-index.netbsd.org/tech-net/2012/08/19/msg003619.html http://mail-index.netbsd.org/source-changes/2012/10/27/msg038310.html I wanted to try it out because I think it has great potential. ;-) Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQEcBAEBAgAGBQJQwN+wAAoJECXpabHZMqHObcIH/0VN0ssRB9nNPwKq0WnxYZdO 7rnhymuYh8gRIGXkcHAu1ma/egJFk7tFTx37fm1q9iT/f+1TB2U5ZNi+6h9pnxSl W7U+yrEFvE4FkI6xnHq26amLTAQv3xdmNhB67M+glXj+emRuFfckgShnvgd4brRy ZJnaqJ3frCXld/1WG7dSmq1OIN4mT/7stw6BwwtzrkbdtcTQRgukNIFEyObMmReE RNligaB0l2Yj0S+6lI+6VQTyDc7NhSHMAUw32F385EuKYcJwkrj24eYxbCcWyP+g +9lGAYhLUOXUfM+7IISwdguWnQnIcpOxvo4I2shAglJYygnN+hSXZWn9IzTU5Gw= =4Ov6 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50C0DFB0.6030007>