From 3bc0a990e2f0fd1a2e3986293de530ae1d24bb28 Mon Sep 17 00:00:00 2001
From: dmachard <5562930+dmachard@users.noreply.github.com>
Date: Sun, 10 Dec 2023 22:14:15 +0100
Subject: [PATCH] regex support

---
 config.yml          |  4 +++-
 dnsutils/message.go | 30 +++++++++++++++++++++++-------
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/config.yml b/config.yml
index f4d9dc6c..0f41034a 100644
--- a/config.yml
+++ b/config.yml
@@ -95,7 +95,9 @@ pipelines:
     dnsmessage:
       matching:
         include:
-          dnstap.operation: "CLIENT_QUERY"
+          dns.flags.ad: true
+          #dnstap.operation: "CLIENT_QUERY"
+          dnstap.operation: "CLIENT_Q*"
       policy: "drop-unmatched" #passthrough
     routes: [ log-queries ]
 
diff --git a/dnsutils/message.go b/dnsutils/message.go
index 104f8646..7326ddc2 100644
--- a/dnsutils/message.go
+++ b/dnsutils/message.go
@@ -840,32 +840,48 @@ func (dm *DNSMessage) Flatten() (ret map[string]interface{}, err error) {
 
 func (dm *DNSMessage) Matching(matching map[string]interface{}) (error, bool) {
 
+	if len(matching) == 0 {
+		return nil, false
+	}
+
 	dmValue := reflect.ValueOf(dm)
 
 	if dmValue.Kind() == reflect.Ptr {
 		dmValue = dmValue.Elem()
 	}
 
+	var isMatch = true
+
 	for nestedKeys, value := range matching {
 
-		fieldValue, found := getFieldByJSONTagV2(dmValue, nestedKeys)
+		fieldValue, found := getFieldByJSONTag(dmValue, nestedKeys)
 		if !found {
 			fmt.Printf("pattern '%s' does not exist in the DNSMessage structure\n", nestedKeys)
 			return nil, false
 		}
 
-		if reflect.DeepEqual(value, fieldValue.Interface()) {
-			return nil, true
+		reflectedValue := reflect.ValueOf(value)
+
+		// regex support for string
+		if reflectedValue.Kind() == reflect.String {
+			pattern := regexp.MustCompile(reflectedValue.Interface().(string))
+			if !pattern.MatchString(fieldValue.Interface().(string)) {
+				isMatch = false
+				break
+			}
 		} else {
-			return nil, false
+			if value != fieldValue.Interface() {
+				isMatch = false
+				break
+			}
 		}
 
 	}
 
-	return nil, false
+	return nil, isMatch
 }
 
-func getFieldByJSONTagV2(value reflect.Value, nestedKeys string) (reflect.Value, bool) {
+func getFieldByJSONTag(value reflect.Value, nestedKeys string) (reflect.Value, bool) {
 	listKeys := strings.SplitN(nestedKeys, ".", 2)
 
 	for j, jsonKey := range listKeys {
@@ -878,7 +894,7 @@ func getFieldByJSONTagV2(value reflect.Value, nestedKeys string) (reflect.Value,
 			if tag == jsonKey {
 				// Recursively check nested fields if the current field is a struct
 				if field.Type.Kind() == reflect.Struct {
-					if fieldValue, found := getFieldByJSONTagV2(value.Field(i), listKeys[j+1]); found {
+					if fieldValue, found := getFieldByJSONTag(value.Field(i), listKeys[j+1]); found {
 						return fieldValue, true
 					}
 				} else {