Hi Mayuresh,
while i was drawn to netbsd because of the upcoming lua
support in the kernel and userland,
I'm happy to read this =).
i am quite lost about
the probable use cases for real-world scenarios.
We have proposed some use cases, such as packet filtering, device
drivers, network protocols and file systems. Please note that use
cases depend on the creation of proper bindings between the kernel and
Lua. Currently, we have just few bindings committed on -current.
I'm currently working on the packet filtering use case by extending
NPF using Lua. I'll talk about this use case on EuroBSDCon 2014 [1]
and hope to make the code publicly available soon. Here is the talk's
abstract:
NetBSD recently added an experimental support for kernel scripting
based on the programming language Lua, which allows privileged users to load
and run Lua scripts in kernel. This talk presents a special use case on
scripting the NetBSD Packet Filter (NPF). It presents NPFLua, a NPF extension
module that allows users to define advanced rules to filter the
network traffic using Lua scripts.
This talk also presents Luadata, a Lua extension library that allows developers
to expose safely system memory for Lua scripts. This library also allows users
to describe data layouts declaratively in Lua. Luadata is used in combination
with NPFLua to allow users to inspect and modify network packet payload using
Lua.
[1] http://2014.eurobsdcon.org/
Marc is working on a line-disciplines use case.
Moreover, I previously worked on a kernel-scripting environment for
Linux, named Lunatik. I developed a CPU frequency scaling use case,
extending CPUfreq. There are also research groups that worked on
packet filtering [2] and file systems [3] on Linux, using Lunatik.
[2] A. Graf. PacketScript—a Lua Scripting Engine for in-Kernel
Packet Processing. Master’s thesis, Computer Science Depart-
ment, University of Basel, July 2010.
[3] M. Grawinkel, T. Suss, G. Best, I. Popov, and A. Brinkmann.
Towards Dynamic Scripted pNFS Layouts. In High Perfor-
mance Computing, Networking, Storage and Analysis (SCC),
2012 SC Companion:, pages 13–17. IEEE, 2012.
prima-face, it feels quite strange to have a scriptable
kernel and have that capability extended through out the
userland.
Yes, it is not usual. But I think it can be quite useful =).
i have been googling (via lynx) and haven't found anything
which would suggest possible use cases for the lua-in-kernel
effort. might be because my google skills are poor.
can someone with access to such a document please share the
details?
As Justin pointed, there are a Marc's presentation and some discussion
on the mailing lists.
We, I and Marc et al., are also working on a paper about Scriptable OS
that we hope to make publicly available soon. This paper introduces
the concept of Scriptable OS, which supports that OS can adequately
provide extensibility through kernel scripting. It also presents some
use cases and experiments.
Feel free to ask more questions here or contact me privately.
also, if the lua-in-kernel effort does succeed, would there
be some mechanism to turn it off while doing a customized
build?
Actually, Lua in kernel is optional. If you want to use it, you need
to explicitly enable it.
can't figure how useful such a feature might be in
a production environment like web-app hosting or even an
embedded system.
Suppose that you have discovered a new vulnerability on a specific
implementation of SSH. You can use a Lua script on a NPF firewall to
filter the SSH software version and then block the traffic from the
vulnerable SSH implementation. Here is a Lua script example that
implements this kind of filtering:
function filter(hdr, pld)
-- get a segment of the payload
local seg = pld:segment(0, 255)
-- convert segment data to string
local str = tostring(seg)
-- pattern to capture the software version
local pattern =
'SSH%-[%w%p]+%-([%w%p]+) ?[%w%p]*\r\n'
-- get the software version
local software_version = str:match(pattern)
if software_version == 'OpenSSH_6.4' then
-- reject the packet
return false
end
-- accept the packet
return true
end
Regards,
--
Lourival Vieira Neto
