Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add an indexable ruleset that can split filters by ruleset/evttype
Now that custom rules loading implementations (and related, custom rulesets) can be swapped into falco in a customizable way, there is some functionality in evttype_index_ruleset that could be used by other rulesets, specifically the part that segregates filters by ruleset and enables/disables filters based on name substring + tags. To allow for this, create a new template indexable_ruleset<class filter_wrapper> which derives from filter_ruleset and segregates the filter_wrappers by ruleset. It also optionally segregates filter_wrappers by event type. The filter_wrapper class is an object that can return a name, tags, and sc/event codes. The main interfaces for classes that derive from indexable_ruleset are: - add_wrapper(), which provides a filter_wrapper to the indexable_ruleset. This is generally called from add()/add_compile_output(), which must be implemented by the derived class. - run_wrappers(), which must be implemented by the derived class and is called for event processing. Most of the methods required by filter_ruleset are implemented by indexable_ruleset and do not need to be implemented by the derived class. Signed-off-by: Mark Stemm <[email protected]>
- Loading branch information