Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 28 Dec 2011 11:42:51 +0100
From:      Luigi Rizzo <rizzo@iet.unipi.it>
To:        Lev Serebryakov <lev@freebsd.org>
Cc:        Pawel Tyll <ptyll@nitronet.pl>, Adrian Chadd <adrian@freebsd.org>, "Alexander V. Chernikov" <melifaro@freebsd.org>, Mike Tancsa <mike@sentex.net>, freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org
Subject:   Re: Firewall Profiling.
Message-ID:  <20111228104251.GB74183@onelab2.iet.unipi.it>
In-Reply-To: <444957640.20111228102844@serebryakov.spb.ru>
References:  <1498545030.20111227015431@nitronet.pl> <4EF9ADBC.8090402@FreeBSD.org> <4EFA3F6F.9040404@sentex.net> <4EFA40D7.60206@FreeBSD.org> <CAJ-Vmo=XL2%2BMSV%2BBYCy6QpQ9Q%2Bo9=qCajQezDaMo%2BJ96CoRbkQ@mail.gmail.com> <444957640.20111228102844@serebryakov.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Dec 28, 2011 at 10:28:44AM +0400, Lev Serebryakov wrote:
> Hello, Adrian.
> You wrote 28 ??????? 2011 ?., 10:04:13:
> 
> > Maybe someone should write one and open source it this time.. :)
>   In presence of LLVM in the base, it looks, that we should generate
> native code from IPFW bytecodes, without intermediate C code :)
>   Looks doeable!

There is a problem here. You have to trust the native code
before allowing its execution in the kernel. So either you
implement some form of sandboxing or code validator
before accepting a blob of native code from the setsockopt(),
or you generate the code directly within the kernel.
But with these sizes you cannot embed clang or gcc in the kernel:

> size /usr/bin/clang
   text    data     bss     dec     hex filename
31892505         538200   76544 32507249        1f00571 /usr/bin/clang
> size /usr/libexec/cc1
   text    data     bss     dec     hex filename
6172008   39800  723320 6935128  69d258 /usr/libexec/cc1

maybe you can embed tcc or libtcc:

> size `which tcc`
   text    data     bss     dec     hex filename
 127573     600   42680  170853   29b65 /usr/local/bin/tcc

though i would guess that a custom code generator is probably simpler
to write (perhaps reusing sys/i386/i386/bpf_jit_machdep.c and its
amd64 counterpart)

cheers
luigi

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111228104251.GB74183>