Add tests catchall order (#355)

* Only check whole rule names when matching counts Tweak the regex so a rule my_great_rule doesn't pick up event counts for a rule "great_rule: nnn". * Add ability to skip evttype warnings for rules A new attribute warn_evttypes, if present, suppresses printing warnings related to a rule not matching any event type. Useful if you have a rule where not including an event type is intentional. * Add test for preserving rule order Test the fix for https://github.com/draios/falco/issues/354. A rules file has a event-specific rule first and a catchall rule second. Without the changes in https://github.com/draios/sysdig/pull/1103, the first rule does not match the event.
2025-10-12 22:32:05 +00:00 · 2018-04-19 09:31:20 -07:00
parent b6b490e26e
commit e922a849a9
5 changed files with 48 additions and 16 deletions
--- a/userspace/engine/lua/rule_loader.lua
+++ b/userspace/engine/lua/rule_loader.lua
@@ -373,8 +373,14 @@ function load_rules(rules_content, rules_mgr, verbose, all_events, extra, replac

      local v = state.rules_by_name[name]

+      warn_evttypes = true
+      if v['warn_evttypes'] ~= nil then
+	 warn_evttypes = v['warn_evttypes']
+      end
+
      local filter_ast, evttypes, syscallnums = compiler.compile_filter(v['rule'], v['condition'],
-								     state.macros, state.lists)
+									state.macros, state.lists,
+									warn_evttypes)

      if (filter_ast.type == "Rule") then
 	 state.n_rules = state.n_rules + 1