diff options
author | Chema Gonzalez <chema@google.com> | 2014-04-21 09:21:24 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-04-22 21:27:57 -0400 |
commit | 4cd3675ebf74d7f559038ded6aa8088e4099a83d (patch) | |
tree | 6988d7dc3352fbcce10c5c510ffa11e6f30217de /Documentation | |
parent | 5a4ae5f6e7d4b2b5a9b8981d513345053e40b6ac (diff) | |
download | linux-4cd3675ebf74d7f559038ded6aa8088e4099a83d.tar.gz linux-4cd3675ebf74d7f559038ded6aa8088e4099a83d.tar.bz2 linux-4cd3675ebf74d7f559038ded6aa8088e4099a83d.zip |
filter: added BPF random opcode
Added a new ancillary load (bpf call in eBPF parlance) that produces
a 32-bit random number. We are implementing it as an ancillary load
(instead of an ISA opcode) because (a) it is simpler, (b) allows easy
JITing, and (c) seems more in line with generic ISAs that do not have
"get a random number" as a instruction, but as an OS call.
The main use for this ancillary load is to perform random packet sampling.
Signed-off-by: Chema Gonzalez <chema@google.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation')
-rw-r--r-- | Documentation/networking/filter.txt | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/Documentation/networking/filter.txt b/Documentation/networking/filter.txt index 81f940f4e884..82e1cb0b3da8 100644 --- a/Documentation/networking/filter.txt +++ b/Documentation/networking/filter.txt @@ -281,6 +281,7 @@ Possible BPF extensions are shown in the following table: cpu raw_smp_processor_id() vlan_tci vlan_tx_tag_get(skb) vlan_pr vlan_tx_tag_present(skb) + rand prandom_u32() These extensions can also be prefixed with '#'. Examples for low-level BPF: @@ -308,6 +309,18 @@ Examples for low-level BPF: ret #-1 drop: ret #0 +** icmp random packet sampling, 1 in 4 + ldh [12] + jne #0x800, drop + ldb [23] + jneq #1, drop + # get a random uint32 number + ld rand + mod #4 + jneq #1, drop + ret #-1 + drop: ret #0 + ** SECCOMP filter example: ld [4] /* offsetof(struct seccomp_data, arch) */ |