[NetDev-People] 0x14: Moonshot talk, Linux Kernel Network Scripting with Lua

Jamal Hadi Salim jhs at mojatatu.com
Wed Jan 29 15:54:15 UTC 2020

I'll spend a bit more time summarizing this talk because it will no
doubt generate passions in (some) people and curiosity in others.

If you thought that eBPF is the only approach to extend the kernel,
think again. In this talk, Lourival Vieira Neto et al describe a
framework, Lunatik, which facilitates dynamically injecting Lua scripts
into the kernel to extend kernel mechanisms.

Some context:

what is Lua?
1) It is a scripting language that is very widely deployed as an
embededable _extension language_. Game programming in particular
predominantly uses it for extensions. Openwrt uses it as config
language and there are many others listed here:
Wide deployment means it has seen exposure in many environments.
The _extension
2) It is a tiny language (the whole language is about 200KB) that is
designed to be easy to embed - in particular in C
3) It is considered relatively secure. Despite the wide deployment
over many years there have been very few CVEs reported against Lua in
more than a decade. See:

Why scripting?
Extending kernels with scripts is nothing new. But:
The simple answer to this question is to compare a compiler driven
approach (think C) vs a scripting language(think Bash or python).
The former requires a complex development environment (think eBPF
needing latest clang, gcc, correct libbpf, etc) while the later
provides faster turnarounds to development and deployment (you need
a kernel with the Lua VM but not much after that in terms of tooling)
and of course, a much simpler and stable ABI. Script based execution
is often not as performant but often more usable relatively speaking.

And back to the talk...
The Lunatik framework has rich coverage across different kernel hooks
and has been used to script different Linux subsystems such as CPUfreq,
Sockets, RCU, ULP, Netfilter, and now XDP. Lunatik has been around for a
while, just not upstreamed - and to give a little sample space of its
deployment: NFLua is currently deployed _in production in over 20
million home routers_!

You dont want a rogue script kill your kernel and system.
Lourival et al will discuss the challenges and approach taken in
allowing script injection into the kernel while still maintaining
correctness, isolation, and liveness.
They will then describe NFLua and introduce XPDLua, which allows
users to extend XDP with Lua. XDPLua aims to replace NFLua.
The authors will detail how Lua can be used within XDP:
as a standalone to directly invoke currently exposed eBPF helpers
or alternatively have eBPF programs invoke Lua scripts.

And last but not least: Lourival et al will provide comparison
performance data  for packet filtering between with Iptables, eBPF,
NFLua and XDPLua.

sounds exciting? Come to the conference, listen, learn, and engage
the speakers!

More info:

Reminder, registration is now open and early bird is still in effect.


More information about the people mailing list