[systemd-devel] Filter/Parse NETLINK_KOBJECT_UEVENT Messages

Mantas Mikulėnas grawity at gmail.com
Tue Sep 14 05:28:33 UTC 2021


On Tue, Sep 14, 2021 at 4:08 AM Ryan McClue <re.mcclue at protonmail.com>
wrote:

> I understand this is slightly off-topic, but I'm completely new to BPF.
> Analyzing libudev source and Internet I understand the general idea.
> However, I don't understand how information/what information is passed to
> the filter from the socket. For example, in my case the socket payload,
> i.e. buf_str =
> *add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0/input/input38/event14*
> 1. How do I pass this string to the *sock_filter/sock_fprog* structures?
>

As far as I know – you don't. Once you attach the filter to the socket, it
automatically gets invoked with each packet's payload as the input
(whatever counts as "input" for BPF, I'm not entirely sure), and you don't
need to pass anything anywhere manually.

Note that this is not eBPF but the traditional cBPF that's used e.g. by
tcpdump/libpcap.


> 2. Is a correct way of filtering these to implement string parsing to
> check for '/event' sub-string in EPF bytecode?
>

See sd_device_monitor_filter_update() in
src/libsystemd/sd-device/device-monitor.c (nowadays, sd-device has all the
interesting code, while libudev is a thin wrapper around it).

-- 
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20210914/d52b65f2/attachment-0001.htm>


More information about the systemd-devel mailing list