Add ability to clear loaded rules.

Add the ability to clear the set of loaded rules from lua. It simply
recreates the sinsp_evttype_filter instance m_evttype_filter, which is
now a unique_ptr.

userspace/engine/falco_engine.cpp

@@ -49,6 +49,8 @@ falco_engine::falco_engine(bool seed_rng)
 	falco_common::init(m_lua_main_filename.c_str(), FALCO_ENGINE_SOURCE_LUA_DIR);
 	falco_rules::init(m_ls);
 
+	m_evttype_filter.reset(new sinsp_evttype_filter());
+
 	if(seed_rng)
 	{
 		srandom((unsigned) getpid());
@@ -107,7 +109,7 @@ void falco_engine::load_rules_file(const string &rules_filename, bool verbose, b
 
 void falco_engine::enable_rule(string &pattern, bool enabled)
 {
-	m_evttype_filter.enable(pattern, enabled);
+	m_evttype_filter->enable(pattern, enabled);
 }
 
 unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev)
@@ -118,7 +120,7 @@ unique_ptr<falco_engine::rule_result> falco_engine::process_event(sinsp_evt *ev)
 		return unique_ptr<struct rule_result>();
 	}
 
-	if(!m_evttype_filter.run(ev))
+	if(!m_evttype_filter->run(ev))
 	{
 		return unique_ptr<struct rule_result>();
 	}
@@ -183,7 +185,12 @@ void falco_engine::add_evttype_filter(string &rule,
 				      list<uint32_t> &evttypes,
 				      sinsp_filter* filter)
 {
-	m_evttype_filter.add(rule, evttypes, filter);
+	m_evttype_filter->add(rule, evttypes, filter);
+}
+
+void falco_engine::clear_filters()
+{
+	m_evttype_filter.reset(new sinsp_evttype_filter());
 }
 
 void falco_engine::set_sampling_ratio(uint32_t sampling_ratio)

userspace/engine/falco_engine.h

@@ -19,6 +19,7 @@ along with falco.  If not, see <http://www.gnu.org/licenses/>.
 #pragma once
 
 #include <string>
+#include <memory>
 
 #include "sinsp.h"
 #include "filter.h"
@@ -84,6 +85,9 @@ public:
 				list<uint32_t> &evttypes,
 				sinsp_filter* filter);
 
+	// Clear all existing filters.
+	void clear_filters();
+
 	//
 	// Set the sampling ratio, which can affect which events are
 	// matched against the set of rules.
@@ -116,7 +120,7 @@ private:
 	inline bool should_drop_evt();
 
 	falco_rules *m_rules;
-        sinsp_evttype_filter m_evttype_filter;
+	std::unique_ptr<sinsp_evttype_filter> m_evttype_filter;
 
 	//
 	// Here's how the sampling ratio and multiplier influence

userspace/engine/rules.cpp

@@ -28,6 +28,7 @@ extern "C" {
 #include "falco_engine.h"
 const static struct luaL_reg ll_falco_rules [] =
 {
+	{"clear_filters", &falco_rules::clear_filters},
 	{"add_filter", &falco_rules::add_filter},
 	{"enable_rule", &falco_rules::enable_rule},
 	{NULL,NULL}
@@ -44,6 +45,24 @@ void falco_rules::init(lua_State *ls)
 	luaL_openlib(ls, "falco_rules", ll_falco_rules, 0);
 }
 
+int falco_rules::clear_filters(lua_State *ls)
+{
+	if (! lua_islightuserdata(ls, -1))
+	{
+		throw falco_exception("Invalid arguments passed to clear_filters()\n");
+	}
+
+	falco_rules *rules = (falco_rules *) lua_topointer(ls, -1);
+	rules->clear_filters();
+
+	return 0;
+}
+
+void falco_rules::clear_filters()
+{
+	m_engine->clear_filters();
+}
+
 int falco_rules::add_filter(lua_State *ls)
 {
 	if (! lua_islightuserdata(ls, -3) ||

userspace/engine/rules.h

@@ -36,10 +36,12 @@ class falco_rules
 	void describe_rule(string *rule);
 
 	static void init(lua_State *ls);
+	static int clear_filters(lua_State *ls);
 	static int add_filter(lua_State *ls);
 	static int enable_rule(lua_State *ls);
 
  private:
+	void clear_filters();
 	void add_filter(string &rule, list<uint32_t> &evttypes);
 	void enable_rule(string &rule, bool enabled);