diff --git a/userspace/engine/falco_load_result.cpp b/userspace/engine/falco_load_result.cpp index a1c6aad8..7e0f384e 100644 --- a/userspace/engine/falco_load_result.cpp +++ b/userspace/engine/falco_load_result.cpp @@ -62,7 +62,7 @@ static const std::string warning_codes[] = { "LOAD_UNKNOWN_SOURCE", "LOAD_UNSAFE_NA_CHECK", "LOAD_NO_EVTTYPE", - "LOAD_UNKNOWN_FIELD", + "LOAD_UNKNOWN_FILTER", "LOAD_UNUSED_MACRO", "LOAD_UNUSED_LIST", "LOAD_UNKNOWN_ITEM" @@ -77,7 +77,7 @@ static const std::string warning_strings[] = { "Unknown event source", "Unsafe comparison in condition", "Condition has no event-type restriction", - "Unknown field in condition", + "Unknown field or event-type in condition or output", "Unused macro", "Unused list", "Unknown rules file item" @@ -92,7 +92,7 @@ static const std::string warning_descs[] = { "A rule has a unknown event source. This can occur when reading rules content without having a corresponding plugin loaded, etc. The rule will be silently ignored.", "Comparing a field value with is unsafe and can lead to unpredictable behavior of the rule condition. If you need to check for the existence of a field, consider using the 'exists' operator instead.", "A rule condition matches too many evt.type values. This has a significant performance penalty. Make the condition more specific by adding an evt.type field or further restricting the number of evt.type values in the condition.", - "A rule condition refers to a field that does not exist. This is normally an error, but if a rule has a skip-if-unknown-filter property, the error is downgraded to a warning.", + "A rule condition or output refers to a field or evt.type that does not exist. This is normally an error, but if a rule has a skip-if-unknown-filter property, the error is downgraded to a warning.", "A macro is defined in the rules content but is not used by any other macro or rule.", "A list is defined in the rules content but is not used by any other list, macro, or rule.", "An unknown top-level object is in the rules content. It will be ignored." diff --git a/userspace/engine/falco_load_result.h b/userspace/engine/falco_load_result.h index 2827c895..0f831562 100644 --- a/userspace/engine/falco_load_result.h +++ b/userspace/engine/falco_load_result.h @@ -50,7 +50,7 @@ public: LOAD_UNKNOWN_SOURCE = 0, LOAD_UNSAFE_NA_CHECK, LOAD_NO_EVTTYPE, - LOAD_UNKNOWN_FIELD, + LOAD_UNKNOWN_FILTER, LOAD_UNUSED_MACRO, LOAD_UNUSED_LIST, LOAD_UNKNOWN_ITEM diff --git a/userspace/engine/rule_loader_compiler.cpp b/userspace/engine/rule_loader_compiler.cpp index 6be6b219..9b20ee0b 100644 --- a/userspace/engine/rule_loader_compiler.cpp +++ b/userspace/engine/rule_loader_compiler.cpp @@ -375,6 +375,12 @@ void rule_loader::compiler::compile_macros_infos( } } +static bool err_is_unknown_type_or_field(const std::string& err) +{ + return err.find("nonexistent field") != std::string::npos + || err.find("invalid formatting token") != std::string::npos + || err.find("unknown event type") != std::string::npos; +} void rule_loader::compiler::compile_rule_infos( configuration& cfg, @@ -433,6 +439,14 @@ void rule_loader::compiler::compile_rule_infos( if(!is_format_valid(*cfg.sources.at(r.source), rule.output, err)) { + if (err_is_unknown_type_or_field(err) && r.skip_if_unknown_filter) + { + cfg.res->add_warning( + falco::load_result::load_result::LOAD_UNKNOWN_FILTER, + err, + r.output_ctx); + continue; + } throw rule_load_exception( falco::load_result::load_result::LOAD_ERR_COMPILE_OUTPUT, err, @@ -463,25 +477,20 @@ void rule_loader::compiler::compile_rule_infos( // skip_if_unknown_filter is true std::string err = e.what(); - if (err.find("nonexistent field") != std::string::npos && - r.skip_if_unknown_filter) + if (err_is_unknown_type_or_field(err) && r.skip_if_unknown_filter) { cfg.res->add_warning( - falco::load_result::load_result::LOAD_UNKNOWN_FIELD, - e.what(), + falco::load_result::load_result::LOAD_UNKNOWN_FILTER, + err, r.cond_ctx); + continue; } - else - { - rule_loader::context ctx(compiler.get_pos(), - condition, - r.cond_ctx); - throw rule_loader::rule_load_exception( - falco::load_result::load_result::LOAD_ERR_COMPILE_CONDITION, - e.what(), - ctx); - } + rule_loader::context ctx(compiler.get_pos(), condition, r.cond_ctx); + throw rule_loader::rule_load_exception( + falco::load_result::load_result::LOAD_ERR_COMPILE_CONDITION, + err, + ctx); } // By default rules are enabled/disabled for the default ruleset