From: Daniel Borkmann <dborkman@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: ast@plumgrid.com, pablo@netfilter.org, mingo@kernel.org,
wad@chromium.org, rostedt@goodmis.org, a.p.zijlstra@chello.nl,
hpa@zytor.com, hagen@jauu.net, jesse@nicira.com,
tglx@linutronix.de, edumazet@google.com,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
fweisbec@gmail.com, acme@infradead.org, penberg@iki.fi,
arjan@infradead.org, hch@infradead.org, xemul@parallels.com,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH v10 net-next 1/3] filter: add Extended BPF interpreter and converter
Date: Sat, 15 Mar 2014 20:53:55 +0100 [thread overview]
Message-ID: <5324AFD3.8040804@redhat.com> (raw)
In-Reply-To: <20140314.160851.1134730495663127657.davem@davemloft.net>
On 03/14/2014 09:08 PM, David Miller wrote:
> From: Alexei Starovoitov <ast@plumgrid.com>
> Date: Fri, 14 Mar 2014 12:51:17 -0700
>
>> can you please explain why the status of these
>> patches is 'deferred' in patchwork ?
>> Is it because of bpf vs nft thread?
>> I think that's orthogonal.
>
> I do not find it orthogonal, Pablo brings up some very valid points
> which I agree with.
>
> EBPF has a lot of the same user side interface limitations that the
> existing BPF has, and you refuse to accept this core point Pablo is
> making.
>
> That is, that it lacks extensibility, and is too strongly tied to the
> implementation.
>
> This is exactly how we run into problems in the future, and you'll be
> proposing EBPF_2.0 to address such problems.
Hm, so currently there's no interface where this is exposed to uapi,
and we surely can and should put the definitions back to the non-uapi
include to keep it inside the kernel, you're right.
I think, at least for me, the take-away of Alexei's work is, that
even (if we assume) without any further functionality, the new design
would greatly improve the interpreter (and presumably later on as
well JIT) performance based on Alexei's benchmarks, which would already
be a win for seccomp and socket filters and where ever they are being
used across the networking subsystem, and therefore out-of-the-box
without any changes for user space applications such as libpcap.
I was thinking that it could be an option to make this transparently
available to everyone, by just dropping the bpf_ext_enable knob, and
perhaps just replace the old BPF interpreter entirely in this set?
So the process would be: 1) test if normal BPF filter can be JIT'ed,
go for it, if it's not supported by JIT (or if it is disabled), run
it transparently in the new (non-exposed) BPF representation to have
a better overall performance.
Would that perhaps address the above concern? So on the big picture,
it provides a BPF performance improvement. I think if there's a wish
to extend the socket filtering api to run alternative interpreters,
such as nft, then that could still happen, of course.
next prev parent reply other threads:[~2014-03-15 19:53 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-12 21:43 [PATCH v10 net-next 0/3] filter: add Extended BPF interpreter and converter, seccomp Alexei Starovoitov
2014-03-12 21:43 ` [PATCH v10 net-next 1/3] filter: add Extended BPF interpreter and converter Alexei Starovoitov
2014-03-14 12:58 ` Pablo Neira Ayuso
2014-03-14 15:37 ` Alexei Starovoitov
2014-03-14 19:51 ` Alexei Starovoitov
2014-03-14 20:08 ` David Miller
2014-03-15 19:53 ` Daniel Borkmann [this message]
2014-03-17 9:16 ` Pablo Neira Ayuso
2014-03-12 21:43 ` [PATCH v10 net-next 2/3] seccomp: convert seccomp to use extended BPF Alexei Starovoitov
2014-03-12 21:43 ` [PATCH v10 net-next 3/3] doc: filter: add Extended BPF documentation Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5324AFD3.8040804@redhat.com \
--to=dborkman@redhat.com \
--cc=a.p.zijlstra@chello.nl \
--cc=acme@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=arjan@infradead.org \
--cc=ast@plumgrid.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fweisbec@gmail.com \
--cc=hagen@jauu.net \
--cc=hch@infradead.org \
--cc=hpa@zytor.com \
--cc=jesse@nicira.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=penberg@iki.fi \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=wad@chromium.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).