From owner-freebsd-net@FreeBSD.ORG Wed Aug 7 15:32:27 2013 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2D17CF3C for ; Wed, 7 Aug 2013 15:32:27 +0000 (UTC) (envelope-from darrenr@netbsd.org) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F3F7E2377 for ; Wed, 7 Aug 2013 15:32:26 +0000 (UTC) Received: from compute3.internal (compute3.nyi.mail.srv.osa [10.202.2.43]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 8962B20F83; Wed, 7 Aug 2013 11:32:25 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Wed, 07 Aug 2013 11:32:25 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:reply-to :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=a6HguYZ0q1SnRxHpWm2+Z/ q/nvw=; b=gTedB9UhOOngAsY0URQMVi5rxWZC5//gyQoMcXtvc8wjDj8vLRid3w j5Kuin955+MLMi9iIQdxCSpx0Tb3knJ05TKmXGNHZB5KrtSbTM1fELO5qVsLPfhZ Pjq4ni6AqhRzG5wmBj9dbLwfMk2v6YM7YUx4g/Q2G6lPNChjjYyh4= X-Sasl-enc: JfLj8g31akUqzo/mXT/arWeavsS6KBJ2r9uMjp/TIbkZ 1375889544 Received: from [172.20.10.2] (unknown [1.156.19.30]) by mail.messagingengine.com (Postfix) with ESMTPA id A81926800B3; Wed, 7 Aug 2013 11:32:23 -0400 (EDT) Message-ID: <5202693C.50608@netbsd.org> Date: Thu, 08 Aug 2013 01:35:24 +1000 From: Darren Reed Organization: NetBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: Mindaugas Rasiukevicius Subject: Re: BPF_MISC+BPF_COP and BPF_COPX References: <20130804191310.2FFBB14A152@mail.netbsd.org> In-Reply-To: <20130804191310.2FFBB14A152@mail.netbsd.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: tech-net@netbsd.org, guy@alum.mit.edu, freebsd-net@freebsd.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: darrenr@netbsd.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Aug 2013 15:32:27 -0000 On 5/08/2013 5:12 AM, Mindaugas Rasiukevicius wrote: > Hello, > > I would like propose new BPF instructions for the misc category: BPF_COP > and BPF_COPX. It would provide a capability of calling an external > function - think of BPF "coprocessor". No. A BPF program is an entity that can be verified as correct from a security perspective.It is also self contained and requires no external references in order to understand. This change brakes the BPF security model because now the BPF program is calling out to some random function as part of the packet matching. > It provides us a capability to offload more complex packet processing. > My primary user would be NPF in NetBSD, e.g. one of the operations is to > lookup an IP address in a table/ipset. Then add BPF instructions to manipulate address sets (add, remove, lookup) and pick a datastore to use to support it. In doing that the benefits can thereafter be applied to other programs (such as tcpdump) that have a large list of entities that need to be matched against. Darren