Date: Thu, 08 Aug 2013 01:35:24 +1000 From: Darren Reed <darrenr@netbsd.org> To: Mindaugas Rasiukevicius <rmind@netbsd.org> Cc: tech-net@netbsd.org, guy@alum.mit.edu, freebsd-net@freebsd.org Subject: Re: BPF_MISC+BPF_COP and BPF_COPX Message-ID: <5202693C.50608@netbsd.org> In-Reply-To: <20130804191310.2FFBB14A152@mail.netbsd.org> References: <20130804191310.2FFBB14A152@mail.netbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/08/2013 5:12 AM, Mindaugas Rasiukevicius wrote: > Hello, > > I would like propose new BPF instructions for the misc category: BPF_COP > and BPF_COPX. It would provide a capability of calling an external > function - think of BPF "coprocessor". No. A BPF program is an entity that can be verified as correct from a security perspective.It is also self contained and requires no external references in order to understand. This change brakes the BPF security model because now the BPF program is calling out to some random function as part of the packet matching. > It provides us a capability to offload more complex packet processing. > My primary user would be NPF in NetBSD, e.g. one of the operations is to > lookup an IP address in a table/ipset. Then add BPF instructions to manipulate address sets (add, remove, lookup) and pick a datastore to use to support it. In doing that the benefits can thereafter be applied to other programs (such as tcpdump) that have a large list of entities that need to be matched against. Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5202693C.50608>