Berkeley Packet Filter Just in Time compiler and The Linux Kernel 3.0

jdmcdaniel3 · August 7, 2011, 5:10am

I noticed a new addition to the Linux Kernel 3.0 which was called the “Berkeley Packet Filter Just in Time compiler”. This seemed intriguing to me though I admit to not knowing how to make use of it. The H Open link on the subject is as follows:

Kernel Log: Coming in 3.0 (Part 1) - Networking - The H Open Source: News and Features

Just in time

The netfilter code now includes a “Berkeley Packet Filter Just-in-Time Compiler” for x86-64 systems. It generates assembler code at rumtime that carries out some of the network packet filtering tasks set by sniffer tools such as Tcpdump. Disabled by default, the JIT compiler can be enabled by writing “1” into the /proc/sys/net/core/bpf_jit_enable file; when testing an earlier version of the compiler, its developer managed to measure savings of 50 nanoseconds per packet. Further background about this approach is available in an article on LWN.net.

So what I have done is to determine just how to activate this option. First, you can download the latest kernel 3.0.1 from here: http://www.kernel.org/pub/linux/kernel/v3.0/linux-3.0.1.tar.bz2

Next, you need to compile this kernel. You can use my bash script here: S.A.K.C. - SUSE Automated Kernel Compiler - Version 2.50 - Blogs - openSUSE Forums

While in the sakc script, you will be asked if you “Would you like to modify your Kernel configurations in a GUI?” you need to answer with a Y for Yes. This starts up the “make menuconfig” command. You then need to select the options:

Networking Support (select and press enter)
Networking Options (select and press enter)
enable BPF Just In Time compiler (Page down to the third page and press the space bar on this option at the bottom)
Save an Alternate Configuration File (press ESC twice to back up and press ESC twice again to back up one more time)
Use the default configuration file name of .config
Select <Exit> at the bottom to leave the menuconfig program.

http://thumbnails49.imagebam.com/14383/bf74b2143825412.jpg](ImageBam)

Once your kernel has been compiled and installed, reboot your PC to load the new kernel. Now, you need to enable the BPF_JIT in order for it to be used. I have created a script you can use for this purpose:

#!/bin/bash

#: Title       : jit
#: Date Created: Mon Aug 1 17:57:06 CDT 2011
#: Last Edit   : Thu Aug 4 20:40:06 CDT 2011
#: Author      : James D. McDaniel
#: Version     : 1.00
#: Description : Enable the BPF_JIT
#: Options     : None

TITLE=" JIT - (Berkeley Packet Filter) Just In Time Compiler Settings" 

#
# This is the folder and file name we are looking for.  If this
# file is not present then BPF_JIT was not enabled in the kernel
#
FILE="/proc/sys/net/core/bpf_jit_enable"

#
# BPF_JIT can only be enabled by a root user
#
if  $UID -ne 0 ]]; then
  echo "Root User Permissions are required, Please Enter the ..."
  echo
  sudo $0
  exit 0
fi

#
# Determine if the /proc/sys/net/core/bpf_jit_enable is present.
#
if  ! -e $FILE ] ; then
  echo
  echo "The File $FILE not a Present - BPF_JIT does not appear to be enabled"
  echo
  exit 1
fi

#
# Main Program Starts here
#
while true ; do

  tput clear
  echo
  echo "      "$TITLE
  echo
  echo "---------------------------------------------------------------------------"
  echo "This enables the Berkeley Packet Filter Just in Time compiler.  Currently"
  echo "supported on x86_64 architecture, bpf_jit provides a framework to speed"
  echo "packet filtering, the one used by tcpdump/libpcap for example.  It does"
  echo "appear that you have enabled the BPF_JIT Kernel Module as required.  Your"
  echo "output command options to $FILE are as follows:"
  echo "---------------------------------------------------------------------------"
  echo "   0 - disable the JIT (default value)"
  echo "   1 - enable the JIT"
  echo "   2 - enable the JIT and ask the compiler to emit traces on kernel log."
  echo "---------------------------------------------------------------------------"
  echo
  echo -n "         Please enter the option number you wish to use (Q=Quit):"

  read -n1 choice

#
# Execute commands 0,1 & 2
#
  if  $choice == [012] ]] ; then
    echo
    echo

#
# This is the actual command sent to the BPF_JIT
#
    echo $choice > $FILE
    error_code=$?

#
# Output the result of that BPF_JIT command
#
    if  $error_code -eq 0 ] ; then
      echo "Your command: $choice was sent to $FILE as requested."
      echo
      exit 0
    else
      echo "Your command: $choice was folowed by the Error Code: $error_code, Sorry it did not work!"
      echo
    exit $error_code
    fi
  fi

#
# Execute command Q=quit if requested
#
  if  $choice == [Qq] ]] ; then
    echo
    echo
    exit 0
  fi

done

exit 0

# End Of Script

To use the new script, copy and past the text in the code block above into a text editor and save it into the ~/bin folder as the file jit (/home/yourname/bin/jit). Now, to make the script executable, open a terminal session and run the following command:

chmod +x ~/bin/jit

To use the script, open another terminal session and enter the command:

jit

You must enter the root user password and then you have three options, they are:

 0 - disable the JIT (default value)
 1 - enable the JIT
 2 - enable the JIT and ask the compiler to emit traces on kernel log.

I ask that you please tell me if you are using the Berkeley Packet Filter Just in Time compiler and if you found any of this useful by chance.

Thank You,

Blogs: asroot : Bash : Packet Filter : C.F.U. : GPU’s : fewrup : F.S.M. : H.I. : nVIDIA : LNVHW : N.S.F. : S.A.K.C. : MMCHECK
S.A.S.I. : S.C.L.U. : S.G.T.B. : S.K.I.M. : S.L.A.V.E. : S.L.R.C. : S.T.A.R.T. : S.U.F.F. : SYSEdit : systemd : YaST Power

please_try_again · December 2, 2011, 2:51pm

Humm … I use pf (packet filter) for years on my openBSD firewalls. I guess that’s what is meant here (after taking a quick look at the articles linked … somewhere). It’s simply excellent. I don’t say my firewall are excellent, but pf is something I wouldn’t trade for iptables for all the tea in China.

just found this article, James, while looking for another one.

jdmcdaniel3 · December 2, 2011, 11:34pm

[QUOTE=please_try_again;bt271]Humm … I use pf (packet filter) for years on my openBSD firewalls. I guess that’s what is meant here (after taking a quick look at the articles linked … somewhere). It’s simply excellent. I don’t say my firewall are excellent, but pf is something I wouldn’t trade for iptables for all the tea in China.

just found this article, James, while looking for another one.[/QUOTE]

So, this was added with kernel 3.0 and so if you are using pf, you should be able to take advantage of this feature when enabled. I assume it continues into kernel 3.1 as well included with openSUSE 12.1. You should give us an example of how you are using the pf and if you have tried this example. It would be of great help to this article.

Thank You,

please_try_again · December 3, 2011, 2:15am

I use pf on openBSD routers like others use iptables on Linux. pf is well documented on openBSD’s site: http://nomz.net/faq/pf. I should say that I have been spending way too much time fighting with Linux distros in the couple past years at the expense of my BSD projects (but I got to know you guys, so it wasn’t that bad after all ;)). I haven’t updated my firewalls for so long … I won’t tell.

Basically, you write pf rules - like iptables nat but more efficient - load/unload/modify them on the fly. For example, if you want to let somebody in (allow him to use a specific service on a specific port), you would just add his IP to a table. You can also perform efficient quiewing by reserving a percentage of the bandwith for services like VOIP … although it might get very tricky. If the Linux kernel has now pf support, you would need a utility to communicate with the packet filter device. I don’t know if such program now exists on Linux or how pf is implemented otherwise and what makes use of it. Under openBSD, the command pfctl takes care of that: http://resin.csoft.net/cgi-bin/man.cgi?section=8&topic=pfctl