| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <552517E2.2070709@mojatatu.com> Date: Wed, 08 Apr 2015 07:58:26 -0400 From: Jamal Hadi Salim <jhs@...atatu.com> To: Thomas Graf <tgraf@...g.ch>, Daniel Borkmann <daniel@...earbox.net> CC: stephen@...workplumber.org, ast@...mgrid.com, jiri@...nulli.us, netdev@...r.kernel.org Subject: Re: [PATCH iproute2 -next] tc, bpf: finalize eBPF support for cls and act front-end Maybe i should be reading backwards;-> But i skipped a few emails instead. On 04/01/15 18:30, Thomas Graf wrote: > On 04/01/15 at 04:13pm, Daniel Borkmann wrote: >> I see it as a way to offer a generic, fast and 'safe' option for >> classifier and action developers to have a programmable data path >> in the traffic control subsystem in the kernel, which I think is >> very powerful and important in various use-cases. I regard it as >> a similar way and elegant solution as tcpdump or nftables resolve >> their problems internally, in other words, to provide a _generic_ >> solution to address _specific, customized_ issues. Perhaps an anti >> feature-bloat, if you will. ;) My viewpoint is that this ties well >> together into the kernel landscape, and also makes us improve >> various other subsystems that it makes use of, successively. > > Alexei will remember that I gave him a hard time with the exact > same remarks as Jamal brought up when he presented this in New > Orleans ;-) > I think you hit on my concern. The potential of another frankestein exists here. > What turned my viewpoint around was the knowledge that function > calls are limited. eBPF programs can only make calls to functions > which have been specifically whitelisted for eBPF programs. This > policy is enforced by the kernel through the verifier. Exported > symbols are not automatically whitelisted. So an eBPF program > can't call into drivers or use arbitrary kernel APIs and is thus > a lot more restricted than a kernel module. > I havent seen much restriction in the sample code posted by Daniel. Dont get me wrong, I like ebpf (when ovs was being presented i didnt say I liked it, but if you recall did protest the frankestein factor). cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists