Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

new(userspace/engine): generalize indexable ruleset #3251

Merged
merged 2 commits into from
Jun 20, 2024

Conversation

mstemm
Copy link
Contributor

@mstemm mstemm commented Jun 13, 2024

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

/kind release

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area build

/area engine

/area tests

/area proposals

/area CI

What this PR does / why we need it:
Now that custom rules loading implementations (and related, custom rulesets) can be swapped into falco in a customizable way, there is some functionality in evttype_index_ruleset that could be used by other rulesets, specifically the part that segregates filters by ruleset and enables/disables filters based on name substring + tags. This PR makes a base class for that. See the commit comments for more details.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:
NO

NONE

Copy link

This PR may bring feature or behavior changes in the Falco engine and may require the engine version to be bumped.

Please double check userspace/engine/falco_engine_version.h file. See versioning for FALCO_ENGINE_VERSION.

/hold

std::string::size_type pos;

switch(match)
std::shared_ptr<wrapper> derived = std::dynamic_pointer_cast<wrapper>(wrap);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A dynamic cast for every rules index bucket, for every event, seems like a bit overkill for performance to me. I like this modularization effort, but can we choose a more performant route? For example, maybe the wrapper type can be a template parameter?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can static_cast it instead, the wrapper will always be the derived type anyway. I switched it to static_cast.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, after a PM with you I switched indexable_ruleset to be a template instead. PTAL.

@FedeDP
Copy link
Contributor

FedeDP commented Jun 18, 2024

/milestone 0.39.0

@poiana poiana added this to the 0.39.0 milestone Jun 18, 2024
@mstemm mstemm force-pushed the generalize-indexable-ruleset branch from 8090801 to c2011ac Compare June 18, 2024 17:26
mstemm added 2 commits June 18, 2024 12:07
Now that custom rules loading implementations (and related, custom
rulesets) can be swapped into falco in a customizable way, there is
some functionality in evttype_index_ruleset that could be used by
other rulesets, specifically the part that segregates filters by
ruleset and enables/disables filters based on name substring + tags.

To allow for this, create a new template indexable_ruleset<class
filter_wrapper> which derives from filter_ruleset and segregates the
filter_wrappers by ruleset. It also optionally segregates
filter_wrappers by event type.

The filter_wrapper class is an object that can return a name, tags,
and sc/event codes.

The main interfaces for classes that derive from indexable_ruleset are:

- add_wrapper(), which provides a filter_wrapper to the
  indexable_ruleset. This is generally called from
  add()/add_compile_output(), which must be implemented by the derived class.
- run_wrappers(), which must be implemented by the derived class and
  is called for event processing.

Most of the methods required by filter_ruleset are implemented by
indexable_ruleset and do not need to be implemented by the derived
class.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Modify evttype_index_ruleset to derive from indexable_ruleset instead
of having its own implementation of segregating filters by ruleset
id/event type.

An evttype_index_wrapper contains a falco rule and filter, and
implements the methods required by the template. run_wrappers()
evaluate the filter as before, without the segregation by ruleset
id/event type.

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
@mstemm mstemm force-pushed the generalize-indexable-ruleset branch from c2011ac to d8a8a59 Compare June 18, 2024 19:12
Copy link
Contributor

@jasondellaluce jasondellaluce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Jun 19, 2024

LGTM label has been added.

Git tree hash: 2b16ef9e657a42a7641a0972210b87db15b5ec83

Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana
Copy link
Contributor

poiana commented Jun 20, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, jasondellaluce, mstemm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [FedeDP,jasondellaluce,mstemm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@FedeDP FedeDP changed the title Generalize indexable ruleset new(userspace/engine): generalize indexable ruleset Jun 20, 2024
@FedeDP
Copy link
Contributor

FedeDP commented Jun 20, 2024

/unhold

@poiana poiana merged commit adeca79 into master Jun 20, 2024
35 checks passed
@poiana poiana deleted the generalize-indexable-ruleset branch June 20, 2024 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants