c - 与套接字相关的 BPF 的“输入”是什么？

问题描述

目前，我正在使用以下代码收听 NETLINK_KOBJECT_UEVENT 消息：

union UeventBuffer {
  struct nlmsghdr netlink_header;
  char raw[8192];
};
int sock = socket(PF_NETLINK, SOCK_RAW | SOCK_NONBLOCK, NETLINK_KOBJECT_UEVENT);

struct sockaddr_nl addr = {};
addr.nl_family = AF_NETLINK;
addr.nl_groups = 1 << 0;
bind(sock, (struct sockaddr *)&addr, sizeof(addr));

UeventBuffer buf = {};
struct iovec iov = {};
iov.iov_base = &buf;
iov.iov_len = sizeof(buf);

struct msghdr msg = {};
struct sockaddr_nl src_addr = {};
msg.msg_name = &src_addr;
msg.msg_namelen = sizeof(src_addr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;

int bytes = recvmsg(sock, &msg, 0);
char *buf_str = buf.raw;
// parse this buf_str ...

示例buf_str是：

add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0/input/input38
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0/input/input38/event14
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0/input/input38/js0
bind@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.1
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.2
bind@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.2
change@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.2

我考虑过使用 BPF 过滤以buf_str结尾/eventXX 但是，我不明白 BPF 的输入是什么。在内核示例中，BPF 指令在哪些数据上运行？我会把它传递buf_str给 BPF 吗？如果是这样，怎么做？

标签： csocketslinux-kernelnetlinkbpf