From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:60358 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752830AbeBSPDE (ORCPT ); Mon, 19 Feb 2018 10:03:04 -0500 Date: Mon, 19 Feb 2018 15:59:35 +0100 From: Florian Westphal To: David Miller Cc: daniel@iogearbox.net, laforge@gnumonks.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, alexei.starovoitov@gmail.com Subject: Re: [PATCH RFC 0/4] net: add bpfilter Message-ID: <20180219145935.GE6333@breakpoint.cc> References: <20180216134023.15536-1-daniel@iogearbox.net> <20180217121145.GI7843@nataraja> <5a7f90b2-9613-3e98-39da-215db230b2f0@iogearbox.net> <20180219.100051.1763083913140481624.davem@davemloft.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180219.100051.1763083913140481624.davem@davemloft.net> Sender: netdev-owner@vger.kernel.org List-ID: David Miller wrote: > From: Daniel Borkmann > Date: Mon, 19 Feb 2018 13:03:17 +0100 > > > Thought was that it would be more suitable to push all the complexity of > > such translation into user space which brings couple of additional advantages > > as well: the translation can become very complex and thus it would contain > > all of it behind syscall boundary where natural path of loading programs > > would go via verifier. Given the tool would reside in user space, it would > > also allow to ease development and testing can happen w/o recompiling the > > kernel. It would allow for all the clang sanitizers to run there and for > > having a comprehensive test suite to verify and dry test translations against > > traffic test patterns (e.g. bpf infra would provide possibilities on this > > w/o complex setup). Given normal user mode helpers make this rather painful > > since they need to be shipped as extra package by the various distros, the > > idea was that the module loader back end could treat umh similarly as kernel > > modules and hook them in through request_module() approach while still > > operating out of user space. In any case, I could image this approach might > > be interesting and useful in general also for other subsystems requiring > > umh in one way or another. > > Yes, this is a very powerful new facility. > > It also means that the scope of developers who can contribute and work > on the translater is much larger. How so? Translator is in userspace in nftables case too?