2

I was looking at the different types of BPF program, and noticed that for different program types the context is being passed differently.

Example:

  1. For program type BPF_PROG_TYPE_SOCK_OPS, an object of type struct bpf_sock_ops_kern is passed. However, the BPF program of this type takes a reference to struct bpf_sock_ops. Why is it done this way and where is the "translation" from bpf_sock_ops_kern to bpf_sock_ops?

  2. For program type BPF_PROG_TYPE_CGROUP_SKB, an object of type struct sk_buff is passed (e.g., in __cgroup_bpf_run_filter_skb), but the BPF program expects a minimized version, struct __sk_buff.

So I looked at the struct bpf_verifier_ops function callbacks, but they seem to only adjust the offsets in BPF instructions, as they are called by the BPF verifier.

I'd be glad if someone could shed light on how the BPF context is defined. Thanks.

4

1 回答 1

3

作为参数传递的镜像对象(例如struct bpf_sock_ops)将原始对象字段的子集暴露给 BPF 程序。镜像结构也可以有来自几个不同原始结构的字段;在这种情况下,镜像对象用作聚合。将原始对象传递给 BPF 程序也会产生误导,因为用户可能认为他们可以访问所有字段。例如,他们可能认为他们可以访问,但bpf_sock_ops_kern.sk实际上并非如此。

然后,在程序第一次执行之前,验证者将对镜像对象的访问转换为对原始对象的访问。每种类型的镜像对象都有一个转换函数(例如,sock_ops_convert_ctx_access用于转换对 的访问struct bpf_sock_ops)。然后,对于镜像对象的每个字段(即,对于每个偏移量),转换函数将带有偏移量的加载或存储指令重写为原始字段。

请注意,所有原始字段可能不在同一个对象中。例如,在镜像对象struct bpf_sock_ops中,字段op和分别在和family中检索。bpf_sock_ops_kern.opbpf_sock_ops_kern.sk->skc_family

于 2018-03-06T10:26:00.327 回答