Netdev 0x14 - Linux Network Scripting with Lua смотреть онлайн

Speakers: Lourival Vieira Neto, Victor Nogueira, Ana Lúcia de Moura, Roberto Ierusalimschy

More info: https://netdevconf.info/0x14/session.html?talk-linux-network-scripting-with-lua

Date: Thursday, August 20, 2020

If you thought that eBPF is the only approach to extend the kernel,
think again. In this talk, Lourival Vieira Neto et al describe a framework,
Lunatik, which facilitates dynamically injecting Lua scripts into the kernel
to extend kernel mechanisms.

Some context:

what is Lua?
1) It is a scripting language that is very widely deployed as an embededable
_extension language_. Game programming in particular predominantly uses it for
extensions. Openwrt uses it as config language and there are many others
listed here: https://en.wikipedia.org/wiki/List_of_applications_using_Lua.
Wide deployment means it has seen exposure in many environments.
2) It is a tiny language (the whole language is about 200KB) that is
designed to be easy to embed - in particular in C
3) It is considered relatively secure. Despite the wide deployment
over many years there have been very few CVEs reported against Lua in
more than a decade. See:
https://www.cvedetails.com/product/28436/LUA-LUA.html?vendor_id=13641).

Why scripting?
The simple answer to this question is to compare a compiler driven
approach (think C) vs a scripting language(think Bash or python).
The former requires a complex development environment (think eBPF needing
latest clang, gcc, correct libbpf, etc) while the later provides faster
turnarounds to development and deployment (you need a kernel with the Lua
VM but not much after that in terms of tooling) and of course,
a much simpler and stable ABI. Script based execution is often not
as performant but often more usable relatively speaking.

And back to the talk...
The Lunatik framework has rich coverage across different kernel hooks and has
been used to script different Linux subsystems such as CPUfreq, Sockets, RCU,
ULP, Netfilter, and now XDP. Lunatik has been around for a while, just not
upstreamed - and to give a little sample space of its deployment: NFLua is
currently deployed _in production used in over 20 million home routers_!

You dont want a rogue script kill your kernel and system.
Lourival et al will discuss the challenges and approach taken in allowing
script injection into the kernel while still maintaining correctness,
isolation, and liveness.
They will then describe NFLua and introduce XPDLua, which allows
users to extend XDP with Lua. XDPLua aims to replace NFLua.
The authors will detail how Lua can be used within XDP:
as a standalone to directly invoke currently exposed eBPF helpers or
alternatively have eBPF programs invoke Lua scripts.

And last but not least: Lourival et al will provide perf comparison data for
packet filtering between with Iptables, eBPF, NFLua and XDPLua.