Linux Kernel and BPF random opcode
In this blog I'll cover topic about random opcode. This opcode is extremely useful as it allows us to randomise behaviour of typically pretty deterministic BPF programs. I'll try to find out which kernel version included this new opcode.
You may be familiar with great technology called BPF or you may have heard about eBPF which is significantly more flexible version of old good BPF but it uses exactly same idea.
What is that? Briefly, it's very small (well, not completely true for eBPF) program which uses very limited subset of possible operations (think it as Assembler with few dozens of allowed commands).
Due to such constraints these small applications can run extremely fast and you even can apply them to every single network packet arriving to your Linux machine.
Any attempt to process every single packet is user space is extremely tricky and resources intensive. Due to increased BPF safety guarantees these micro programmes can run in kernel space and it can be done extremely efficient way.
These micro programmes can discard some traffic which is coming towards our machine. In that case they need to be attached to socket using setsockopt with flag SO_ATTACH_FILTER.
What is the big deal with random opcode? Typically, BPF micro programmes are very deterministic. We can find out vlan tag or port number and then drop it if this one is out of our interest.
Random opcode allows us to implement extremely powerful mechanism called sampling which is extremely useful for network analytics and DDoS attack prevention.
It was added in this patch series "[PATCH v2] filter: added BPF random opcode" which was sent around 21 Apr 2014.
I spent some time to find out commit with has all logic and you can find it here.
Then I used git trick to find out which kernel release included it:
git describe --contains 4cd3675ebf74 v3.16-rc1~27^2~341
Finally, we can confirm that documentation about random opcode is here.
Fortunately, majority of currently supported Linux distributions have more fresh kernels.
Should I mention CentOS 7 with 3.10? Apparently, it's still popular among of some customers.