From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Borkmann Subject: Re: [PATCH v2 net-next 0/2] split BPF out of core networking Date: Mon, 02 Jun 2014 19:04:38 +0200 Message-ID: <538CAEA6.4060307@redhat.com> References: <1401692506-7796-1-git-send-email-ast@plumgrid.com> <538C3C94.3080206@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "David S. Miller" , Ingo Molnar , Steven Rostedt , Chema Gonzalez , Eric Dumazet , Peter Zijlstra , Arnaldo Carvalho de Melo , Jiri Olsa , Thomas Gleixner , "H. Peter Anvin" , Andrew Morton , Kees Cook , Network Development , LKML To: Alexei Starovoitov Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On 06/02/2014 05:41 PM, Alexei Starovoitov wrote: ... > Glad you brought up this point :) > 100% agree that current double verification done by seccomp is far from > being generic and quite hard to maintain, since any change done to > classic BPF verifier needs to be thought through from seccomp_check_filter() > perspective as well. Glad we're on the same page. > BPF's input context, set of allowed calls need to be expressed in a generic way. > Obviously this split by itself won't make classic BPF all of a sudden generic. > It rather defines a boundary of eBPF core. Note, I'm not at all against using it in tracing, I think it's probably a good idea, but shouldn't we _first_ think about how to overcome such deficits as above by improving upon its in-kernel API design, thus to better prepare it to be generic? I feel this step is otherwise just skipped and quickly 'hacked' around ... ;)