From: Tom Herbert <t...@herbertland.com> Date: Thu, 9 Feb 2017 18:29:54 -0800
> So we have thousands or LOC coming into drivers every day anyway with > all those properties anyway, so this "restricted" environment solves > at best 1% of the problem. What you must understand is that no matter what someone outside of upstream writes into an eBPF program, it's safe, and we can absolutely prove this with the verifier and the invariants of the execution environment. Real kernel modules have no such restricted scope. This is the fundamental issue. Even if I agreed with you, it's tremendously frustrating that we haven't even touched the surface of what eBPF XDP can do, and yet you're openning the floodgates to something we cannot even prove we need or is required yet. XDP via eBPF in it's current form needs more work and it needs to be fully fleshed out and more user friendly. That's where the effort and engineering resources belong right now. After that you can say "Ok, now we have that just about feature complete, here is the thing that's not possible and that's why we need X" You think you can answer that right now, and I know that it's not true. There is so much that eBPF XDP can do with the right mix of care and helper functions. I actually really see no fundamental limit to what it is capable of doing with the proper design.
