BPF:程序上下文的翻译

BPF: translation of program contexts

我查看了不同类型的 BPF 程序,并注意到对于不同的程序类型,上下文的传递方式不同。

示例:

  1. 对于程序类型 BPF_PROG_TYPE_SOCK_OPS,类型为 struct bpf_sock_ops_kern is passed. However, the BPF program of this type takes a reference to struct bpf_sock_ops 的对象。为什么要这样做,从bpf_sock_ops_kernbpf_sock_ops的"translation"在哪里?

  2. 对于程序类型 BPF_PROG_TYPE_CGROUP_SKB,类型为 struct sk_buff is passed (e.g., in __cgroup_bpf_run_filter_skb), but the BPF program expects a minimized version, struct __sk_buff 的对象。

所以我查看了the struct bpf_verifier_ops function callbacks,但它们似乎只调整 BPF 指令中的偏移量,因为它们被 BPF 验证器调用。

如果有人能阐明 BPF 上下文是如何定义的,我会很高兴。谢谢。

镜像对象(例如,struct bpf_sock_ops) passed as argument expose a subset of the original object(s)'s fields to the BPF program. The mirror structure can also have fields from several different original structures; in that case, the mirror object serves as aggregate. Passing the original object(s) to the BPF program would also be misleading as the user could think they have access to all fields. For example, they could think they have access to bpf_sock_ops_kern.sk 实际情况并非如此。

在程序第一次执行之前,验证器将对镜像对象的访问转换为对原始对象的访问。每种类型的镜像对象都有一个转换函数(例如,sock_ops_convert_ctx_access for the conversion of accesses to struct bpf_sock_ops)。然后,对于镜像对象的每个字段(即对于每个偏移量),转换函数用原始字段的偏移量重写加载或存储指令。

请注意,所有原始字段可能不在同一个对象中。比如在镜像对象中分别struct bpf_sock_ops, the fields op and family are retrieved in bpf_sock_ops_kern.op and bpf_sock_ops_kern.sk->skc_family.