Firewall Profiling.
Luigi Rizzo
rizzo at iet.unipi.it
Wed Dec 28 10:26:12 UTC 2011
On Wed, Dec 28, 2011 at 10:28:44AM +0400, Lev Serebryakov wrote:
> Hello, Adrian.
> You wrote 28 ??????? 2011 ?., 10:04:13:
>
> > Maybe someone should write one and open source it this time.. :)
> In presence of LLVM in the base, it looks, that we should generate
> native code from IPFW bytecodes, without intermediate C code :)
> Looks doeable!
There is a problem here. You have to trust the native code
before allowing its execution in the kernel. So either you
implement some form of sandboxing or code validator
before accepting a blob of native code from the setsockopt(),
or you generate the code directly within the kernel.
But with these sizes you cannot embed clang or gcc in the kernel:
> size /usr/bin/clang
text data bss dec hex filename
31892505 538200 76544 32507249 1f00571 /usr/bin/clang
> size /usr/libexec/cc1
text data bss dec hex filename
6172008 39800 723320 6935128 69d258 /usr/libexec/cc1
maybe you can embed tcc or libtcc:
> size `which tcc`
text data bss dec hex filename
127573 600 42680 170853 29b65 /usr/local/bin/tcc
though i would guess that a custom code generator is probably simpler
to write (perhaps reusing sys/i386/i386/bpf_jit_machdep.c and its
amd64 counterpart)
cheers
luigi
More information about the freebsd-net
mailing list