update(userspace/engine): upgrade skip-if-unknown-filter YAML field

Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>

userspace/engine/falco_load_result.cpp

@@ -62,7 +62,7 @@ static const std::string warning_codes[] = {
 	"LOAD_UNKNOWN_SOURCE",
 	"LOAD_UNSAFE_NA_CHECK",
 	"LOAD_NO_EVTTYPE",
-	"LOAD_UNKNOWN_FIELD",
+	"LOAD_UNKNOWN_FILTER",
 	"LOAD_UNUSED_MACRO",
 	"LOAD_UNUSED_LIST",
 	"LOAD_UNKNOWN_ITEM"
@@ -77,7 +77,7 @@ static const std::string warning_strings[] = {
 	"Unknown event source",
 	"Unsafe <NA> comparison in condition",
 	"Condition has no event-type restriction",
-	"Unknown field in condition",
+	"Unknown field or event-type in condition or output",
 	"Unused macro",
 	"Unused list",
 	"Unknown rules file item"
@@ -92,7 +92,7 @@ static const std::string warning_descs[] = {
 	"A rule has a unknown event source. This can occur when reading rules content without having a corresponding plugin loaded, etc. The rule will be silently ignored.",
 	"Comparing a field value with <NA> is unsafe and can lead to unpredictable behavior of the rule condition. If you need to check for the existence of a field, consider using the 'exists' operator instead.",
 	"A rule condition matches too many evt.type values. This has a significant performance penalty. Make the condition more specific by adding an evt.type field or further restricting the number of evt.type values in the condition.",
-	"A rule condition refers to a field that does not exist. This is normally an error, but if a rule has a skip-if-unknown-filter property, the error is downgraded to a warning.",
+	"A rule condition or output refers to a field or evt.type that does not exist. This is normally an error, but if a rule has a skip-if-unknown-filter property, the error is downgraded to a warning.",
 	"A macro is defined in the rules content but is not used by any other macro or rule.",
 	"A list is defined in the rules content but is not used by any other list, macro, or rule.",
 	"An unknown top-level object is in the rules content. It will be ignored."

userspace/engine/falco_load_result.h

@@ -50,7 +50,7 @@ public:
 		LOAD_UNKNOWN_SOURCE = 0,
 		LOAD_UNSAFE_NA_CHECK,
 		LOAD_NO_EVTTYPE,
-		LOAD_UNKNOWN_FIELD,
+		LOAD_UNKNOWN_FILTER,
 		LOAD_UNUSED_MACRO,
 		LOAD_UNUSED_LIST,
 		LOAD_UNKNOWN_ITEM

userspace/engine/rule_loader_compiler.cpp

@@ -375,6 +375,12 @@ void rule_loader::compiler::compile_macros_infos(
 	}
 }
 
+static bool err_is_unknown_type_or_field(const std::string& err)
+{
+	return err.find("nonexistent field") != std::string::npos
+		|| err.find("invalid formatting token") != std::string::npos
+		|| err.find("unknown event type") != std::string::npos;
+}
 
 void rule_loader::compiler::compile_rule_infos(
 		configuration& cfg,
@@ -433,6 +439,14 @@ void rule_loader::compiler::compile_rule_infos(
 
 		if(!is_format_valid(*cfg.sources.at(r.source), rule.output, err))
 		{
+			if (err_is_unknown_type_or_field(err) && r.skip_if_unknown_filter)
+			{
+				cfg.res->add_warning(
+					falco::load_result::load_result::LOAD_UNKNOWN_FILTER,
+					err,
+					r.output_ctx);
+				continue;
+			}
 			throw rule_load_exception(
 				falco::load_result::load_result::LOAD_ERR_COMPILE_OUTPUT,
 				err,
@@ -463,26 +477,21 @@ void rule_loader::compiler::compile_rule_infos(
 			// skip_if_unknown_filter is true
 			std::string err = e.what();
 
-			if (err.find("nonexistent field") != std::string::npos &&
-			    r.skip_if_unknown_filter)
+			if (err_is_unknown_type_or_field(err) && r.skip_if_unknown_filter)
 			{
 				cfg.res->add_warning(
-					falco::load_result::load_result::LOAD_UNKNOWN_FIELD,
-					e.what(),
+					falco::load_result::load_result::LOAD_UNKNOWN_FILTER,
+					err,
 					r.cond_ctx);
+				continue;
 			}
-			else
-			{
-				rule_loader::context ctx(compiler.get_pos(),
-							 condition,
-							 r.cond_ctx);
 
+			rule_loader::context ctx(compiler.get_pos(), condition, r.cond_ctx);
 			throw rule_loader::rule_load_exception(
 				falco::load_result::load_result::LOAD_ERR_COMPILE_CONDITION,
-					e.what(),
+				err,
 				ctx);
 		}
-		}
 
 		// By default rules are enabled/disabled for the default ruleset
 		if(r.enabled)