[Bloat] high speed packet and protocol processing in userspace?

Jesper Dangaard Brouer brouer at redhat.com
Fri Mar 17 05:02:14 EDT 2017 

On Thu, 16 Mar 2017 09:27:44 -0700 Eric Dumazet <eric.dumazet at gmail.com> wrote:
> On Thu, 2017-03-16 at 11:52 -0400, Michael Richardson wrote:
> > Dave Taht <dave.taht at gmail.com> wrote:  
> >     > Is it faster to execute 17 bpf vm instructions on (nearly) every
> >     > packet, or to use all that old stuff?  
> > 
> > My understanding is that there is a JIT for ebpf.  
>
> ebpf is pretty fast.

To Dave what kind of arch are you running on?
AFAIK you were running on MIPS right?
Just checked the kernel tree and I was surprised to see a bpf JIT for mips:

$ ls -1 arch/mips/net/bpf_jit*
arch/mips/net/bpf_jit_asm.S
arch/mips/net/bpf_jit.c
arch/mips/net/bpf_jit.h

But I don't know what state it is in (Markos?)


> >     > B) Are there any means of easily abstracting deeper protocol processing
> >     > into a higher level grammar, better than tcpdump? I found one tool,
> >     > that I like conceptually - for deeply decoding a protocol -  
> > 
> > tcpdump just exposes the libpcap compiler.  It has many annoying limitations.
> >   
> >     > I've googled, and thunk, and maybe I'm merely asking the wrong
> >     > questions, and "the packet analysis tool to end all tools" already
> >     > exists?  
> > 
> > Yes, people have produced them, but they go nowhere because they
> > are too specialized, or too general.  The question is: are you
> > trying to build a tcp stack that punts packets at applications, or
> > do "analysis" --- which I interpret to mean to collect statistics.  

The main point for getting performance out of eBPF is to avoid writing
a generic framework that need to handle everything.  The point is only
to emit the instructions you need for your specific use-case.

You should think about eBPF as a programmable policy (that we don't
need/want to add to the kernel code and maintain forever) See this talk:
 https://github.com/iovisor/bpf-docs/blob/master/XDP_Inside_and_Out.pdf

> Note that you can use C to write your parser, then use LLVM to
> generate native eBPF code.

Yes, that is how I use eBPF, writing restricted-C that LLVM compiles
into eBPF code.  You can look at examples in the kernel git tree under
samples/bpf/

I've tried to make it easier to get started working with the LLVM setup by:

(1) providing example code that compiles outside kernel tree:
  https://github.com/netoptimizer/prototype-kernel/tree/master/kernel/samples/bpf

(2) started documenting howto use eBPF:
  https://prototype-kernel.readthedocs.io/en/latest/bpf/index.html

(3) Giving a talk on howto use it:
  http://people.netfilter.org/hawk/presentations/OpenSourceDays2017/
  https://opensourcedays.org/business/talk?speaker_id=84

-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Principal Kernel Engineer at Red Hat
  LinkedIn: http://www.linkedin.com/in/brouer

More information about the Bloat mailing list