Re: Filter/Parse NETLINK_KOBJECT_UEVENT Messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Sep 14, 2021 at 4:08 AM Ryan McClue <re.mcclue@xxxxxxxxxxxxxx> wrote:
I understand this is slightly off-topic, but I'm completely new to BPF. Analyzing libudev source and Internet I understand the general idea. However, I don't understand how information/what information is passed to the filter from the socket. For example, in my case the socket payload, i.e. buf_str = add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0/input/input38/event14
1. How do I pass this string to the sock_filter/sock_fprog structures?

As far as I know – you don't. Once you attach the filter to the socket, it automatically gets invoked with each packet's payload as the input (whatever counts as "input" for BPF, I'm not entirely sure), and you don't need to pass anything anywhere manually.

Note that this is not eBPF but the traditional cBPF that's used e.g. by tcpdump/libpcap.
 
2. Is a correct way of filtering these to implement string parsing to check for '/event' sub-string in EPF bytecode?

See sd_device_monitor_filter_update() in src/libsystemd/sd-device/device-monitor.c (nowadays, sd-device has all the interesting code, while libudev is a thin wrapper around it).

--
Mantas Mikulėnas

[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux