On Wed, Nov 6, 2013 at 11:28 AM, Eric Dumazet eric.duma...@gmail.com wrote:
Actually, the new way [1] of doing this would be to use the 'Fixes:' tag
as in :
Fixes: 12 digits SHA1 (net: fix unsafe set_memory_rw from softirq)
[1] As discussed at last Kernel Summit
thx. good to know.
...@redhat.com
Cc: Alexei Starovoitov a...@plumgrid.com
Cc: Eric Dumazet eduma...@google.com
Cc: David S. Miller da...@davemloft.net
Signed-off-by: Andrey Vagin ava...@openvz.org
---
Acked-by: Alexei Starovoitov a...@plumgrid.com
Thanks!
--
To unsubscribe from this list: send the line unsubscribe
] [811108e2] rcu_process_callbacks+0x202/0x7c0
[ 57.078962] [81057f17] __do_softirq+0xf7/0x3f0
[ 57.085373] [81058245] run_ksoftirqd+0x35/0x70
cannot reuse filter memory, since it's readonly, so have to
extend sk_filter with work_struct
Signed-off-by: Alexei Starovoitov
On Wed, Oct 2, 2013 at 9:23 PM, Eric Dumazet eric.duma...@gmail.com wrote:
On Wed, 2013-10-02 at 20:50 -0700, Alexei Starovoitov wrote:
on x86 system with net.core.bpf_jit_enable = 1
diff --git a/include/linux/filter.h b/include/linux/filter.h
index a6ac848..378fa03 100644
--- a/include
On Wed, Oct 2, 2013 at 9:57 PM, Eric Dumazet eric.duma...@gmail.com wrote:
On Wed, 2013-10-02 at 21:53 -0700, Eric Dumazet wrote:
On Wed, 2013-10-02 at 21:44 -0700, Alexei Starovoitov wrote:
I think ifdef config_x86 is a bit ugly inside struct sk_filter, but
don't mind whichever way.
Its
until jit completed freeing
tested on x86_64 and i386
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
arch/x86/net/bpf_jit_comp.c | 20 +++-
include/linux/filter.h |9 +++--
net/core/filter.c |8 ++--
3 files changed, 28 insertions(+), 9
On Thu, Oct 3, 2013 at 4:02 PM, Eric Dumazet erdnet...@gmail.com wrote:
On Thu, 2013-10-03 at 15:47 -0700, Alexei Starovoitov wrote:
on x86 system with net.core.bpf_jit_enable = 1
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -644,7 +644,9 @@ void sk_filter_release_rcu(struct rcu_head
On Thu, Oct 3, 2013 at 4:07 PM, Eric Dumazet eric.duma...@gmail.com wrote:
On Thu, 2013-10-03 at 15:47 -0700, Alexei Starovoitov wrote:
@@ -722,7 +725,8 @@ EXPORT_SYMBOL_GPL(sk_unattached_filter_destroy);
int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
{
struct
On Thu, Oct 3, 2013 at 4:11 PM, Alexei Starovoitov a...@plumgrid.com wrote:
On Thu, Oct 3, 2013 at 4:07 PM, Eric Dumazet eric.duma...@gmail.com wrote:
On Thu, 2013-10-03 at 15:47 -0700, Alexei Starovoitov wrote:
@@ -722,7 +725,8 @@ EXPORT_SYMBOL_GPL(sk_unattached_filter_destroy);
int
(final filter check always happens in kernel)
bpf/llvm - placeholder for LLVM-BPF backend
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
GCC-BPF backend is available on github
(since gcc plugin infrastructure doesn't allow for out-of-tree backends)
LLVM plugin infra is very flexible
prototype is 'int dst_discard(struct sk_buff *skb);'
'skb' pointer is in 'rdi' register on x86_64
bpf_load_pointer() will try to fetch 'dev' field of 'sk_buff'
structure and will suppress page-fault if pointer is incorrect.
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
include/linux
registers.
That is the main difference.
Old BPF was using jt/jf fields for jump-insn only.
New BPF combines them into generic 'off' field for jump and non-jump insns.
k==imm field has the same meaning.
Thanks
Alexei Starovoitov (5):
Extended BPF core framework
Extended BPF JIT for x86-64
for efficient mapping to native
instructions on 64-bit CPUs
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
include/linux/bpf.h| 149 +++
include/linux/bpf_jit.h| 129 ++
kernel/Makefile|1 +
kernel/bpf_jit/Makefile|3 +
kernel/bpf_jit/bpf_check.c | 1054
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
Documentation/bpf_jit.txt | 204 +
1 file changed, 204 insertions(+)
create mode 100644 Documentation/bpf_jit.txt
diff --git a/Documentation/bpf_jit.txt b/Documentation/bpf_jit.txt
new file mode
.
Allowing zero-overhead calls between BPF filter and safe kernel functions
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
arch/x86/Kconfig |1 +
arch/x86/net/Makefile |1 +
arch/x86/net/bpf64_jit_comp.c | 625 +
arch
On Tue, Dec 3, 2013 at 1:16 AM, Ingo Molnar mi...@kernel.org wrote:
Very cool! (Added various other folks who might be interested in this
to the Cc: list.)
I have one generic concern:
It would be important to make it easy to extract loaded BPF code from
the kernel in source code equivalent
On Tue, Dec 3, 2013 at 7:33 AM, Steven Rostedt rost...@goodmis.org wrote:
On Tue, 3 Dec 2013 10:16:55 +0100
Ingo Molnar mi...@kernel.org wrote:
So, to do the math:
tracing 'all' overhead: 95 nsecs per event
tracing 'eth5 + old filter' overhead: 157 nsecs per event
On Tue, Dec 3, 2013 at 9:01 AM, H. Peter Anvin h...@zytor.com wrote:
On 12/02/2013 08:28 PM, Alexei Starovoitov wrote:
+
+All BPF registers are 64-bit without subregs, which makes JITed x86 code
+less optimal, but matches sparc/mips architectures.
+Adding 32-bit subregs was considered, since
On Tue, Dec 3, 2013 at 12:41 PM, Frank Ch. Eigler f...@redhat.com wrote:
Alexei Starovoitov a...@plumgrid.com writes:
[...]
Having EBPF code manipulating pointers - or kernel memory - directly
seems like a nonstarter. However, per your subsequent paragraph it
sounds like pointers
On Tue, Dec 3, 2013 at 4:35 PM, Jonathan Corbet cor...@lwn.net wrote:
On Mon, 2 Dec 2013 20:28:50 -0800
Alexei Starovoitov a...@plumgrid.com wrote:
GCC-BPF backend is available on github
(since gcc plugin infrastructure doesn't allow for out-of-tree backends)
Do you have a pointer
On Tue, Dec 3, 2013 at 4:01 PM, Andi Kleen a...@firstfloor.org wrote:
Alexei Starovoitov a...@plumgrid.com writes:
Can you do some performance comparison compared to e.g. ktap?
How much faster is it?
imo the most interesting ktap scripts (like kmalloc-top.kp) need
tables and timers.
tables
On Wed, Dec 4, 2013 at 1:34 AM, Ingo Molnar mi...@kernel.org wrote:
* Alexei Starovoitov a...@plumgrid.com wrote:
On Tue, Dec 3, 2013 at 1:16 AM, Ingo Molnar mi...@kernel.org wrote:
Very cool! (Added various other folks who might be interested in
this to the Cc: list.)
I have one
On Tue, Dec 3, 2013 at 4:01 PM, Andi Kleen a...@firstfloor.org wrote:
Can you do some performance comparison compared to e.g. ktap?
How much faster is it?
Did simple ktap test with 1M alloc_skb/kfree_skb toy test from earlier email:
trace skb:kfree_skb {
if (arg2 == 0x100) {
On Wed, Dec 4, 2013 at 4:05 PM, Masami Hiramatsu
masami.hiramatsu...@hitachi.com wrote:
(2013/12/04 10:11), Steven Rostedt wrote:
On Wed, 04 Dec 2013 09:48:44 +0900
Masami Hiramatsu masami.hiramatsu...@hitachi.com wrote:
fetch functions and actions. In that case, we can continue
to use
On Thu, Dec 5, 2013 at 8:11 AM, Frank Ch. Eigler f...@redhat.com wrote:
ast wrote:
[...]
Did simple ktap test with 1M alloc_skb/kfree_skb toy test from earlier email:
trace skb:kfree_skb {
if (arg2 == 0x100) {
printf(%x %x\n, arg1, arg2)
}
}
[...]
For
On Thu, Dec 5, 2013 at 5:46 AM, Steven Rostedt rost...@goodmis.org wrote:
I know that it would be great to have the bpf filter run before
recording of the tracepoint, but as that becomes quite awkward for a
user interface, because it requires intimate knowledge of the kernel
source, this
On Thu, Dec 5, 2013 at 3:37 PM, Steven Rostedt rost...@goodmis.org wrote:
On Thu, 5 Dec 2013 14:36:58 -0800
Alexei Starovoitov a...@plumgrid.com wrote:
On Thu, Dec 5, 2013 at 5:46 AM, Steven Rostedt rost...@goodmis.org wrote:
I know that it would be great to have the bpf filter run before
On Thu, Dec 5, 2013 at 5:20 PM, Andi Kleen a...@firstfloor.org wrote:
the difference is bigger now: 484-145 vs 185-145
This is a obvious improvement, but imho not big enough to be extremely
compelling ( cost 1-2 cache misses, no orders of magnitude improvements
that would justify a lot of
On Thu, Dec 5, 2013 at 2:38 AM, Ingo Molnar mi...@kernel.org wrote:
Also I'm thinking to add 'license_string' section to bpf binary format
and call license_is_gpl_compatible() on it during load.
If false, then just reject it…. not even messing with taint flags...
That would be way stronger
On Wed, Mar 12, 2014 at 12:22 PM, David Miller da...@davemloft.net wrote:
From: Alexei Starovoitov a...@plumgrid.com
Date: Mon, 10 Mar 2014 21:41:30 -0700
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 1a869488b8ae..2c13d000389c 100644
--- a/include/linux
seccomp_data
- cleaned up stack[64] with stack[ARRAY_SIZE(stack)]
2/3 and 3/3: no changes
x86_64, i386 and arm32 look clean.
Thanks!
Alexei Starovoitov (3):
filter: add Extended BPF interpreter and converter
seccomp: convert seccomp to use extended BPF
doc: filter: add Extended BPF documentation
[kernel.kallsyms] [k] __secure_computing
0.93% bench [kernel.kallsyms] [k] sys_getuid
BPF filters generated by seccomp are very branchy, so ext BPF
performance is better than old BPF.
Performance gains will be even higher when extended BPF JIT
is committed.
Signed-off-by: Alexei Starovoitov
with extended BPF
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
Acked-by: Hagen Paul Pfeifer ha...@jauu.net
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
arch/arm/net/bpf_jit_32.c |3 +-
arch/powerpc/net/bpf_jit_comp.c |3 +-
arch/s390/net/bpf_jit_comp.c|3 +-
arch
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
Documentation/networking/filter.txt | 181 +++
1 file changed, 181 insertions(+)
diff --git a/Documentation/networking/filter.txt
b/Documentation/networking
On Wed, Mar 12, 2014 at 3:16 PM, Cong Wang cw...@twopensource.com wrote:
(Sorry for jumping into this thread late.)
On Mon, Mar 10, 2014 at 9:41 PM, Alexei Starovoitov a...@plumgrid.com wrote:
3. tracing filters systemtap-like with extended BPF
4. OVS with extended BPF
5. nftables
On Wed, Mar 12, 2014 at 2:15 AM, Pablo Neira Ayuso pa...@netfilter.org wrote:
Hi!
I'm going to reply to Daniel and you in the same email, see below.
struct sk_filter
{
atomic_trefcnt;
- unsigned intlen;/* Number of filter blocks */
+
On Thu, Mar 13, 2014 at 5:29 AM, Pablo Neira Ayuso pa...@netfilter.org wrote:
On Wed, Mar 12, 2014 at 08:29:07PM -0700, Alexei Starovoitov wrote:
On Wed, Mar 12, 2014 at 2:15 AM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
[...]
It seems you're assuming that ebpf inherited all
On Fri, Mar 14, 2014 at 5:58 AM, Pablo Neira Ayuso pa...@netfilter.org wrote:
On Wed, Mar 12, 2014 at 02:43:32PM -0700, Alexei Starovoitov wrote:
diff --git a/include/linux/filter.h b/include/linux/filter.h
index e568c8ef896b..6e6aab5e062b 100644
--- a/include/linux/filter.h
+++ b/include
On Fri, Mar 14, 2014 at 8:37 AM, Alexei Starovoitov a...@plumgrid.com wrote:
On Fri, Mar 14, 2014 at 5:58 AM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
On Wed, Mar 12, 2014 at 02:43:32PM -0700, Alexei Starovoitov wrote:
diff --git a/include/linux/filter.h b/include/linux/filter.h
index
On Fri, Mar 14, 2014 at 11:16 AM, Pablo Neira Ayuso pa...@netfilter.org wrote:
On Fri, Mar 14, 2014 at 08:28:05AM -0700, Alexei Starovoitov wrote:
On Thu, Mar 13, 2014 at 5:29 AM, Pablo Neira Ayuso pa...@netfilter.org
wrote:
On Wed, Mar 12, 2014 at 08:29:07PM -0700, Alexei Starovoitov wrote
On Sat, Mar 15, 2014 at 12:03 PM, Pablo Neira Ayuso pa...@netfilter.org wrote:
On Fri, Mar 14, 2014 at 09:04:50PM -0700, Alexei Starovoitov wrote:
[...]
In the patches I sent, ebpf is _not_ exposed to the user.
From your last patch: http://patchwork.ozlabs.org/patch/329713/
diff --git
that tcpdump/cls/xt and others can
insert both bpf32 and bpf64 programs through the same interface
- add bpf tables, complete 'dropmonitor' and get back to
systemtap-like probes with bpf64
Please review.
Thanks!
Alexei Starovoitov (1):
bpf32-bpf64 mapper and bpf64 interpreter
include/linux
of available functions
and alter BPF machinery for specific use case.
BPF64 instruction set is designed for efficient mapping to native
instructions on 64-bit CPUs
Old BPF instructions are remapped on the fly to BPF64
when sysctl net.core.bpf64_enable=1
Signed-off-by: Alexei Starovoitov
On Fri, Feb 28, 2014 at 4:45 AM, Daniel Borkmann dbork...@redhat.com wrote:
Hi Alexei,
[also cc'ing Hagen and Jesse]
Just some minor comments below ... let me know what you think.
Thank you for review! Comments below.
On 02/27/2014 03:38 AM, Alexei Starovoitov wrote:
Extended BPF (or 64
On Fri, Feb 28, 2014 at 12:53 PM, Alexei Starovoitov a...@plumgrid.com wrote:
On Fri, Feb 28, 2014 at 4:45 AM, Daniel Borkmann dbork...@redhat.com wrote:
Hi Alexei,
[also cc'ing Hagen and Jesse]
Just some minor comments below ... let me know what you think.
Thank you for review! Comments
On Mon, Mar 3, 2014 at 2:05 AM, Hagen Paul Pfeifer ha...@jauu.net wrote:
* Daniel Borkmann | 2014-03-01 01:30:00 [+0100]:
as in 'struct bpf_insn' the immediate value is 32 bit, so for 64 bit
comparisons, you'd still need to load to immediate values, right?
there is no insn that use 64-bit
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
Documentation/networking/filter.txt | 181 +++
1 file changed, 181 insertions(+)
diff --git a/Documentation/networking/filter.txt
b/Documentation/networking/filter.txt
index a06b48d2f5cc..c3f687bf8e82
performance is better than old BPF.
Performance gains will be even higher when extended BPF JIT
is committed.
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
This patch is an RFC to use extended BPF in seccomp.
Change it to do it conditionally with bpf_ext_enable knob ?
---
include
design doc
Please review.
Thanks!
Alexei Starovoitov (3):
Extended BPF interpreter and converter
RFC: convert seccomp to use extended BPF
Extended BPF documentation
Documentation/networking/filter.txt | 181
include/linux/filter.h |8 +-
include/linux/netdevice.h
BPF verifier, so that new programs
can be loaded through old sk_attach_filter() and
sk_unattached_filter_create()
interfaces
3. tracing filters systemtap-like with extended BPF
4. OVS with extended BPF
5. nftables with extended BPF
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
On Tue, Mar 4, 2014 at 1:59 AM, Daniel Borkmann dbork...@redhat.com wrote:
On 03/04/2014 06:18 AM, Alexei Starovoitov wrote:
Extended BPF extends old BPF in the following ways:
- from 2 to 10 registers
Original BPF has two registers (A and X) and hidden frame pointer.
Extended BPF has
On Tue, Mar 4, 2014 at 6:28 AM, Hagen Paul Pfeifer ha...@jauu.net wrote:
If all issues raised by Daniel are addresed:
Acked-by: Hagen Paul Pfeifer ha...@jauu.net
Thanks!
But ...
Future work:
0. seccomp
1. add extended BPF JIT for x86_64
2. add inband old/new demux and extended BPF
design doc
V5 summary:
- fixed commit one-liner, removed empty line
- added Hagen's ack
Please review.
Thanks!
Alexei Starovoitov (3):
filter: add Extended BPF interpreter and converter
[RFC] seccomp: convert seccomp to use extended BPF
doc: filter: add Extended BPF documentation
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
Documentation/networking/filter.txt | 181 +++
1 file changed, 181 insertions(+)
diff --git a/Documentation/networking/filter.txt
b/Documentation/networking/filter.txt
index a06b48d2f5cc..c3f687bf8e82
performance is better than old BPF.
Performance gains will be even higher when extended BPF JIT
is committed.
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
This patch is an RFC to use extended BPF in seccomp.
Change it to do it conditionally with bpf_ext_enable knob ?
---
include
BPF verifier, so that new programs
can be loaded through old sk_attach_filter() and
sk_unattached_filter_create()
interfaces
3. tracing filters systemtap-like with extended BPF
4. OVS with extended BPF
5. nftables with extended BPF
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
Acked
On Tue, Mar 4, 2014 at 2:17 PM, Alexei Starovoitov a...@plumgrid.com wrote:
use sk_convert_filter() to convert seccomp BPF into extended BPF
05-sim-long_jumps.c of libseccomp was used as micro-benchmark:
seccomp_rule_add_exact(ctx,...
seccomp_rule_add_exact(ctx,...
rc = seccomp_load
On Wed, Mar 5, 2014 at 1:24 AM, Daniel Borkmann dbork...@redhat.com wrote:
On 03/04/2014 11:17 PM, Alexei Starovoitov wrote:
Extended BPF extends old BPF in the following ways:
- from 2 to 10 registers
Original BPF has two registers (A and X) and hidden frame pointer.
Extended BPF has
On Wed, Mar 5, 2014 at 1:42 PM, Kees Cook keesc...@chromium.org wrote:
On Tue, Mar 4, 2014 at 7:11 PM, Alexei Starovoitov a...@plumgrid.com wrote:
On Tue, Mar 4, 2014 at 2:17 PM, Alexei Starovoitov a...@plumgrid.com wrote:
use sk_convert_filter() to convert seccomp BPF into extended BPF
05
[kernel.kallsyms] [k] __secure_computing
0.93% bench [kernel.kallsyms] [k] sys_getuid
BPF filters generated by seccomp are very branchy, so ext BPF
performance is better than old BPF.
Performance gains will be even higher when extended BPF JIT
is committed.
Signed-off-by: Alexei Starovoitov
in sk_convert_filter()
- updated commit log
- added Daniel's Reviewed-by
- added Kees's Reviewed-by
x86_64, i386 and arm32 look clean.
Thanks!
Alexei Starovoitov (3):
filter: add Extended BPF interpreter and converter
seccomp: convert seccomp to use extended BPF
doc: filter: add Extended BPF
-off-by: Alexei Starovoitov a...@plumgrid.com
Acked-by: Hagen Paul Pfeifer ha...@jauu.net
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
include/linux/filter.h |6 +-
include/linux/netdevice.h |1 +
include/uapi/linux/filter.h | 33 +-
net/core/filter.c | 801
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
Documentation/networking/filter.txt | 181 +++
1 file changed, 181 insertions(+)
diff --git a/Documentation/networking/filter.txt
b/Documentation/networking
On Fri, Mar 7, 2014 at 12:38 PM, David Miller da...@davemloft.net wrote:
From: Alexei Starovoitov a...@plumgrid.com
Date: Wed, 5 Mar 2014 19:30:15 -0800
Extended BPF extends old BPF in the following ways:
- from 2 to 10 registers
Original BPF has two registers (A and X) and hidden frame
- removed CPU specific code from sk_run_filter() and sk_run_filter_ext()
because of that revised arm32 cache-hit bpf micro-bench numbers slightly
slower, but seccomp and cache-miss arm32 numbers stayed the same
2/3 and 3/3: no changes
x86_64, i386 and arm32 look clean.
Thanks!
Alexei Starovoitov
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
Documentation/networking/filter.txt | 181 +++
1 file changed, 181 insertions(+)
diff --git a/Documentation/networking/filter.txt
b/Documentation/networking
-off-by: Alexei Starovoitov a...@plumgrid.com
Acked-by: Hagen Paul Pfeifer ha...@jauu.net
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
I think typecasting fixes are minor, so I kept Daniel's and Hagen's rev-by/ack.
arch/arm/net/bpf_jit_32.c |3 +-
arch/powerpc/net/bpf_jit_comp.c
[kernel.kallsyms] [k] __secure_computing
0.93% bench [kernel.kallsyms] [k] sys_getuid
BPF filters generated by seccomp are very branchy, so ext BPF
performance is better than old BPF.
Performance gains will be even higher when extended BPF JIT
is committed.
Signed-off-by: Alexei Starovoitov
On Sun, Mar 9, 2014 at 5:29 AM, Daniel Borkmann borkm...@iogearbox.net wrote:
On 03/09/2014 12:15 AM, Alexei Starovoitov wrote:
Extended BPF extends old BPF in the following ways:
- from 2 to 10 registers
Original BPF has two registers (A and X) and hidden frame pointer.
Extended BPF
On Sun, Mar 9, 2014 at 7:45 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Sat, 2014-03-08 at 15:15 -0800, Alexei Starovoitov wrote:
+/**
+ * sk_run_filter_ext - run an extended filter
+ * @ctx: buffer to run the filter on
+ * @insn: filter to apply
+ *
+ * Decode and execute
On Sun, Mar 9, 2014 at 7:49 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Sat, 2014-03-08 at 15:15 -0800, Alexei Starovoitov wrote:
+ if (BPF_SRC(fp-code) == BPF_K
+ (int)fp-k 0) {
+ /* extended BPF immediates
On Sun, Mar 9, 2014 at 11:11 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Sun, 2014-03-09 at 10:38 -0700, Alexei Starovoitov wrote:
On Sun, Mar 9, 2014 at 7:45 AM, Eric Dumazet eric.duma...@gmail.com wrote:
On Sat, 2014-03-08 at 15:15 -0800, Alexei Starovoitov wrote
On Sun, Mar 9, 2014 at 12:11 PM, Eric Dumazet eric.duma...@gmail.com wrote:
On Sun, 2014-03-09 at 11:57 -0700, Alexei Starovoitov wrote:
In sk_run_filter_ext() I used u64 stack[64];, but u64 stack[60]; is
safe too, but I didn't want to go into extensive explanation
of 'magic' 60 number
On Sun, Mar 9, 2014 at 3:00 PM, Daniel Borkmann borkm...@iogearbox.net wrote:
On 03/09/2014 06:08 PM, Alexei Starovoitov wrote:
On Sun, Mar 9, 2014 at 5:29 AM, Daniel Borkmann borkm...@iogearbox.net
wrote:
On 03/09/2014 12:15 AM, Alexei Starovoitov wrote:
Extended BPF extends old BPF
[kernel.kallsyms] [k] __secure_computing
0.93% bench [kernel.kallsyms] [k] sys_getuid
BPF filters generated by seccomp are very branchy, so ext BPF
performance is better than old BPF.
Performance gains will be even higher when extended BPF JIT
is committed.
Signed-off-by: Alexei Starovoitov
so_get_filter test from crtools/test/zdtm/live/static/
- trimmed cc list, since it looks too big
2/3 and 3/3: no changes
x86_64, i386 and arm32 look clean.
Thanks!
Alexei Starovoitov (3):
filter: add Extended BPF interpreter and converter
seccomp: convert seccomp to use extended BPF
doc: filter
-off-by: Alexei Starovoitov a...@plumgrid.com
Acked-by: Hagen Paul Pfeifer ha...@jauu.net
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
Daniel,
sk_get_filter() fixes are no longer minor, but I kept your
reviewed-by to credit your great help in creation of these patches.
Hope it's ok with you
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
Documentation/networking/filter.txt | 181 +++
1 file changed, 181 insertions(+)
diff --git a/Documentation/networking/filter.txt
b/Documentation/networking
On Mon, Mar 10, 2014 at 12:22 PM, David Miller da...@davemloft.net wrote:
From: Alexei Starovoitov a...@plumgrid.com
Date: Fri, 7 Mar 2014 14:19:39 -0800
On Fri, Mar 7, 2014 at 12:38 PM, David Miller da...@davemloft.net wrote:
2.
Another alternative is to do
struct sk_filter {
..
union
insns out of cache.
Thanks
Alexei
On March 10, 2014 7:02:18 PM PDT, Linus Torvalds
torva...@linux-foundation.org wrote:
On Mon, Mar 10, 2014 at 6:51 PM, David Miller da...@davemloft.net
wrote:
From: Alexei Starovoitov a...@plumgrid.com
Date: Sun, 9 Mar 2014 23:04:02 -0700
+ unsigned int
*,...) instead of
sk_run_filter_ext(void*,...) which is now private
3/3: no change
x86_64, i386 and arm32 look clean.
Thanks!
Alexei Starovoitov (3):
filter: add Extended BPF interpreter and converter
seccomp: convert seccomp to use extended BPF
doc: filter: add Extended BPF documentation
[kernel.kallsyms] [k] __secure_computing
0.93% bench [kernel.kallsyms] [k] sys_getuid
BPF filters generated by seccomp are very branchy, so ext BPF
performance is better than old BPF.
Performance gains will be even higher when extended BPF JIT
is committed.
Signed-off-by: Alexei Starovoitov
with extended BPF
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
Acked-by: Hagen Paul Pfeifer ha...@jauu.net
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
arch/arm/net/bpf_jit_32.c |3 +-
arch/powerpc/net/bpf_jit_comp.c |3 +-
arch/s390/net/bpf_jit_comp.c|3 +-
arch/sparc
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
Reviewed-by: Daniel Borkmann dbork...@redhat.com
---
Documentation/networking/filter.txt | 181 +++
1 file changed, 181 insertions(+)
diff --git a/Documentation/networking/filter.txt
b/Documentation/networking
On Tue, Mar 11, 2014 at 3:29 AM, Daniel Borkmann dbork...@redhat.com wrote:
On 03/11/2014 10:19 AM, Pablo Neira Ayuso wrote:
Hi!
The following patchset provides a socket filtering alternative to BPF
which allows you to define your filter using the nf_tables expressions.
Similarly to BPF,
On Tue, Mar 11, 2014 at 10:40 AM, Pavel Emelyanov xe...@parallels.com wrote:
On 03/10/2014 02:00 AM, Daniel Borkmann wrote:
On 03/09/2014 06:08 PM, Alexei Starovoitov wrote:
On Sun, Mar 9, 2014 at 5:29 AM, Daniel Borkmann borkm...@iogearbox.net
wrote:
On 03/09/2014 12:15 AM, Alexei
On Thu, Feb 13, 2014 at 2:22 PM, Daniel Borkmann dbork...@redhat.com wrote:
On 02/13/2014 09:20 PM, Daniel Borkmann wrote:
On 02/07/2014 02:20 AM, Alexei Starovoitov wrote:
...
Hi Daniel,
Thanks for your answer and sorry for the late reply.
Thank you for taking a look. Good questions. I
On Thu, Feb 13, 2014 at 12:20 PM, Daniel Borkmann dbork...@redhat.com wrote:
On 02/07/2014 02:20 AM, Alexei Starovoitov wrote:
...
Hi Daniel,
Thanks for your answer and sorry for the late reply.
Thank you for taking a look. Good questions. I had the same concerns.
Old BPF was carefully
On Fri, Feb 14, 2014 at 9:02 AM, Daniel Borkmann dbork...@redhat.com wrote:
On 02/14/2014 01:59 AM, Alexei Starovoitov wrote:
...
I'm very curious, do you also have any performance numbers, e.g. for
networking by taking JIT'ed/non-JIT'ed BPF filters and compare them
against
JIT'ed/non
On Fri, Feb 14, 2014 at 9:27 AM, Daniel Borkmann dbork...@redhat.com wrote:
On 02/14/2014 05:47 AM, Alexei Starovoitov wrote:
...
Do you see a possibility to integrate your work step by step? That is,
Sure. let's see how we can do it.
to first integrate the interpreter part only; meaning
On Thu, Jun 5, 2014 at 9:06 PM, Stephen Rothwell s...@canb.auug.org.au wrote:
Hi all,
After merging the net-next tree, today's linux-next build (powerpc
ppc64_defconfig) failed like this:
net/core/filter.c: In function 'convert_bpf_extensions':
net/core/filter.c:696:17: error: 'A_REG'
cc-ing netdev
On Tue, Jun 10, 2014 at 12:43 PM, Egerváry Gergely gerg...@egervary.hu wrote:
Hi,
we have just upgraded our systems from 3.4.91 (longterm) to 3.4.92.
Since then we are experiencing dozens of MTU-related network timeout
issues. Reverting back to 3.4.91 fixes all of these
On Wed, Jun 11, 2014 at 1:23 PM, Andy Lutomirski l...@amacapital.net wrote:
On my VM, getpid takes about 70ns. Before this patch, adding a
single-instruction always-accept seccomp filter added about 134ns of
overhead to getpid. With this patch, the overhead is down to about
13ns.
On Tue, Jun 10, 2014 at 8:25 PM, Kees Cook keesc...@chromium.org wrote:
This adds the new seccomp syscall with both an operation and flags
parameter for future expansion. The third argument is a pointer value,
used with the SECCOMP_SET_MODE_FILTER operation. Currently, flags must
be 0. This is
On Fri, Jun 13, 2014 at 2:25 PM, Andy Lutomirski l...@amacapital.net wrote:
On Fri, Jun 13, 2014 at 2:22 PM, Alexei Starovoitov a...@plumgrid.com wrote:
On Tue, Jun 10, 2014 at 8:25 PM, Kees Cook keesc...@chromium.org wrote:
This adds the new seccomp syscall with both an operation and flags
On Fri, Jun 13, 2014 at 2:42 PM, Andy Lutomirski l...@amacapital.net wrote:
On Fri, Jun 13, 2014 at 2:37 PM, Alexei Starovoitov a...@plumgrid.com wrote:
On Fri, Jun 13, 2014 at 2:25 PM, Andy Lutomirski l...@amacapital.net wrote:
On Fri, Jun 13, 2014 at 2:22 PM, Alexei Starovoitov
On Thu, May 22, 2014 at 4:05 PM, Kees Cook keesc...@chromium.org wrote:
Normally, task_struct.seccomp.filter is only ever read or modified by
the task that owns it (current). This property aids in fast access
during system call filtering as read access is lockless.
Updating the pointer from
On Tue, May 13, 2014 at 10:09 PM, Ingo Molnar mi...@kernel.org wrote:
* Alexei Starovoitov a...@plumgrid.com wrote:
On Tue, May 13, 2014 at 8:17 PM, Steven Rostedt rost...@goodmis.org wrote:
On Tue, 13 May 2014 19:55:11 -0700
Alexei Starovoitov a...@plumgrid.com wrote:
Tracing filters
of Daniel's.
Tested with several NET and NET-less configs on arm and x86
Alexei Starovoitov (2):
net: filter: split filter.c into two files
net: filter: split BPF out of core networking
arch/Kconfig |3 +-
include/linux/filter.h |2 +
net/Kconfig|4 +
net
seccomp selects BPF only instead of whole NET
Other BPF users (like tracing filters) will select BPF only too
Signed-off-by: Alexei Starovoitov a...@plumgrid.com
---
arch/Kconfig |3 ++-
net/Kconfig|4
net/Makefile |2 +-
net/bpf/core.c | 21 +
4
1 - 100 of 4142 matches
Mail list logo
