Currently, I'm listening to NETLINK_KOBJECT_UEVENT messages with the following code:
union UeventBuffer {
struct nlmsghdr netlink_header;
char raw[8192];
};
int sock = socket(PF_NETLINK, SOCK_RAW | SOCK_NONBLOCK, NETLINK_KOBJECT_UEVENT);
struct sockaddr_nl addr = {};
addr.nl_family = AF_NETLINK;
addr.nl_groups = 1 << 0;
bind(sock, (struct sockaddr *)&addr, sizeof(addr));
UeventBuffer buf = {};
struct iovec iov = {};
iov.iov_base = &buf;
iov.iov_len = sizeof(buf);
struct msghdr msg = {};
struct sockaddr_nl src_addr = {};
msg.msg_name = &src_addr;
msg.msg_namelen = sizeof(src_addr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
int bytes = recvmsg(sock, &msg, 0);
char *buf_str = buf.raw;
// parse this buf_str ...
Example buf_str are:
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0/input/input38
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0/input/input38/event14
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0/input/input38/js0
bind@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.0
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.1
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4/1-2.4:1.2
bind@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.4
add@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.2
change@/devices/pci0000:00/0000:00:14.0/usb1/1-2/1-2.2
I thought about using BPF to filter for buf_str ending with /eventXX
However, I don't understand what the input is for BPF.
In the kernel example, what data are the BPF instructions operating on?
Would I pass this buf_str to the BPF? If so, how?
