bpf, doc: improve sysctl knob description

Current context speaking of tcpdump filters is out of date these days, so lets improve the sysctl description for the BPF knobs a bit. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2017-08-18 11:11:06 -0400
committer: David S. Miller <davem@davemloft.net> 2017-08-18 14:00:41 -0400
commit: 2110ba58303f0c2a03360c5f81fbe67ed312e7b9 (patch)
tree: ed5b08bc788e8d52ef9fd9d91735444b088cbfa4
parent: a120d9ab65354727559b9db75ded8071b7ef19e2 (diff)
1 files changed, 23 insertions, 14 deletions
diff --git a/Documentation/sysctl/net.txt b/Documentation/sysctl/net.txt
index b9c3c6078010..d7c2b88b92ae 100644
--- a/Documentation/sysctl/net.txt
+++ b/Documentation/sysctl/net.txt
@@ -35,23 +35,32 @@ Table : Subdirectories in /proc/sys/net
 bpf_jit_enable
 --------------
-This enables Berkeley Packet Filter Just in Time compiler.
+This enables the BPF Just in Time (JIT) compiler. BPF is a flexible
+and efficient infrastructure allowing to execute bytecode at various
-There are two flavors of JIT, the new eBPF JIT supported on:
+hook points. It is used in a number of Linux kernel subsystems such
+as networking (e.g. XDP, tc), tracing (e.g. kprobes, uprobes, tracepoints)
+and security (e.g. seccomp). LLVM has a BPF back end that can compile
+restricted C into a sequence of BPF instructions. After program load
+through bpf(2) and passing a verifier in the kernel, a JIT will then
+translate these BPF proglets into native CPU instructions. There are
+two flavors of JITs, the newer eBPF JIT currently supported on:
  - x86_64
  - arm64
  - ppc64
  - sparc64
  - mips64
-And the older cBPF JIT supported on:
+And the older cBPF JIT supported on the following archs:
  - arm
  - mips
  - ppc
  - sparc
-The BPF JIT provides a framework to speed packet filtering, the one used by
+eBPF JITs are a superset of cBPF JITs, meaning the kernel will
-tcpdump/libpcap for example.
+migrate cBPF instructions into eBPF instructions and then JIT
+compile them transparently. Older cBPF JITs can only translate
+tcpdump filters, seccomp rules, etc, but not mentioned eBPF
+programs loaded through bpf(2).
 Values :
        0 - disable the JIT (default value)
@@ -61,9 +70,9 @@ Values :
 bpf_jit_harden
 --------------
-This enables hardening for the Berkeley Packet Filter Just in Time compiler.
+This enables hardening for the BPF JIT compiler. Supported are eBPF
-Supported are eBPF JIT backends. Enabling hardening trades off performance,
+JIT backends. Enabling hardening trades off performance, but can
-but can mitigate JIT spraying.
+mitigate JIT spraying.
 Values :
        0 - disable JIT hardening (default value)
        1 - enable JIT hardening for unprivileged users only
@@ -72,11 +81,11 @@ Values :
 bpf_jit_kallsyms
 ----------------
-When Berkeley Packet Filter Just in Time compiler is enabled, then compiled
+When BPF JIT compiler is enabled, then compiled images are unknown
-images are unknown addresses to the kernel, meaning they neither show up in
+addresses to the kernel, meaning they neither show up in traces nor
-traces nor in /proc/kallsyms. This enables export of these addresses, which
+in /proc/kallsyms. This enables export of these addresses, which can
-can be used for debugging/tracing. If bpf_jit_harden is enabled, this feature
+be used for debugging/tracing. If bpf_jit_harden is enabled, this
-is disabled.
+feature is disabled.
 Values :
        0 - disable JIT kallsyms export (default value)
        1 - enable JIT kallsyms export for privileged users only
author	Daniel Borkmann <daniel@iogearbox.net>	2017-08-18 11:11:06 -0400
committer	David S. Miller <davem@davemloft.net>	2017-08-18 14:00:41 -0400
commit	2110ba58303f0c2a03360c5f81fbe67ed312e7b9 (patch)
tree	ed5b08bc788e8d52ef9fd9d91735444b088cbfa4
parent	a120d9ab65354727559b9db75ded8071b7ef19e2 (diff)

diff --git a/Documentation/sysctl/net.txt b/Documentation/sysctl/net.txt index b9c3c6078010..d7c2b88b92ae 100644 --- a/Documentation/sysctl/net.txt +++ b/Documentation/sysctl/net.txt
@@ -35,23 +35,32 @@ Table : Subdirectories in /proc/sys/net
35	bpf_jit_enable	35	bpf_jit_enable
36	--------------	36	--------------
37		37
38	This enables Berkeley Packet Filter Just in Time compiler.	38	This enables the BPF Just in Time (JIT) compiler. BPF is a flexible
39		39	and efficient infrastructure allowing to execute bytecode at various
40	There are two flavors of JIT, the new eBPF JIT supported on:	40	hook points. It is used in a number of Linux kernel subsystems such
		41	as networking (e.g. XDP, tc), tracing (e.g. kprobes, uprobes, tracepoints)
		42	and security (e.g. seccomp). LLVM has a BPF back end that can compile
		43	restricted C into a sequence of BPF instructions. After program load
		44	through bpf(2) and passing a verifier in the kernel, a JIT will then
		45	translate these BPF proglets into native CPU instructions. There are
		46	two flavors of JITs, the newer eBPF JIT currently supported on:
41	- x86_64	47	- x86_64
42	- arm64	48	- arm64
43	- ppc64	49	- ppc64
44	- sparc64	50	- sparc64
45	- mips64	51	- mips64
46		52
47	And the older cBPF JIT supported on:	53	And the older cBPF JIT supported on the following archs:
48	- arm	54	- arm
49	- mips	55	- mips
50	- ppc	56	- ppc
51	- sparc	57	- sparc
52		58
53	The BPF JIT provides a framework to speed packet filtering, the one used by	59	eBPF JITs are a superset of cBPF JITs, meaning the kernel will
54	tcpdump/libpcap for example.	60	migrate cBPF instructions into eBPF instructions and then JIT
		61	compile them transparently. Older cBPF JITs can only translate
		62	tcpdump filters, seccomp rules, etc, but not mentioned eBPF
		63	programs loaded through bpf(2).
55		64
56	Values :	65	Values :
57	0 - disable the JIT (default value)	66	0 - disable the JIT (default value)
@@ -61,9 +70,9 @@ Values :
61	bpf_jit_harden	70	bpf_jit_harden
62	--------------	71	--------------
63		72
64	This enables hardening for the Berkeley Packet Filter Just in Time compiler.	73	This enables hardening for the BPF JIT compiler. Supported are eBPF
65	Supported are eBPF JIT backends. Enabling hardening trades off performance,	74	JIT backends. Enabling hardening trades off performance, but can
66	but can mitigate JIT spraying.	75	mitigate JIT spraying.
67	Values :	76	Values :
68	0 - disable JIT hardening (default value)	77	0 - disable JIT hardening (default value)
69	1 - enable JIT hardening for unprivileged users only	78	1 - enable JIT hardening for unprivileged users only
@@ -72,11 +81,11 @@ Values :
72	bpf_jit_kallsyms	81	bpf_jit_kallsyms
73	----------------	82	----------------
74		83
75	When Berkeley Packet Filter Just in Time compiler is enabled, then compiled	84	When BPF JIT compiler is enabled, then compiled images are unknown
76	images are unknown addresses to the kernel, meaning they neither show up in	85	addresses to the kernel, meaning they neither show up in traces nor
77	traces nor in /proc/kallsyms. This enables export of these addresses, which	86	in /proc/kallsyms. This enables export of these addresses, which can
78	can be used for debugging/tracing. If bpf_jit_harden is enabled, this feature	87	be used for debugging/tracing. If bpf_jit_harden is enabled, this
79	is disabled.	88	feature is disabled.
80	Values :	89	Values :
81	0 - disable JIT kallsyms export (default value)	90	0 - disable JIT kallsyms export (default value)
82	1 - enable JIT kallsyms export for privileged users only	91	1 - enable JIT kallsyms export for privileged users only